CVE-2020-2274 - Jenkins ElasTest Plugin 1.2.1 and earlier stores its server password unencrypted in its global confi

CVE-2020-2274

Summary

Jenkins ElasTest Plugin 1.2.1 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

References

Vulnerable Configurations

cpe:2.3:a:jenkins:elastest:0.9.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:elastest:0.9.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:elastest:0.10:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:elastest:0.10:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:elastest:1.0.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:elastest:1.0.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:elastest:1.0.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:elastest:1.0.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:elastest:1.1.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:elastest:1.1.0:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:elastest:1.2.1:*:*:*:*:jenkins:*:*
cpe:2.3:a:jenkins:elastest:1.2.1:*:*:*:*:jenkins:*:*

CVSS

Base:	2.1 (as of 25-10-2023 - 18:16)
Impact:
Exploitability:

CWE

CWE-312

CAPEC

Retrieve Embedded Sensitive Data
An attacker examines a target system to find sensitive data that has been embedded within it. This information can reveal confidential contents, such as account numbers or individual keys/credentials that can be used as an intermediate step in a larger attack.

Access

Vector	Complexity	Authentication
LOCAL	LOW	NONE

Impact

Confidentiality	Integrity	Availability
PARTIAL	NONE	NONE

cvss-vector via4

AV:L/AC:L/Au:N/C:P/I:N/A:N

refmap via4

confirm	https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-2014
mlist	[oss-security] 20200916 Multiple vulnerabilities in Jenkins plugins

Last major update

25-10-2023 - 18:16

Published

16-09-2020 - 14:15

Last modified

25-10-2023 - 18:16