CVE-2020-2107Insufficiently Protected Credentials in Project Jenkins Fortify Plugin

CWE-522Insufficiently Protected CredentialsCWE-256Plaintext Storage of a Password9 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
0.0%
top 91.25%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Fortify PluginJenkins Fortify
Timeline
PublishedJan 29
Latest updateMay 24

Description

Jenkins Fortify Plugin 19.1.29 and earlier stores proxy server passwords unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

CVEListV5jenkins_project/jenkins_fortify_pluginunspecified19.1.29
NVDjenkins/fortify19.1.29

🔴Vulnerability Details

3
GHSA
Fortify Plugin stored credentials in plain text2022-05-24
OSV
Fortify Plugin stored credentials in plain text2022-05-24
CVEList
CVE-2020-2107: Jenkins Fortify Plugin 192020-01-29

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2020-01-292020-01-29

💬Community

3
Bugzilla
CVE-2020-1758 keycloak: improper verification of certificate with host mismatch could result in information disclosure2020-03-11
Bugzilla
CVE-2020-1724 keycloak: problem with privacy after user logout2020-02-07
Bugzilla
CVE-2020-1718 keycloak: security issue on reset credential flow2020-01-31
CVE-2020-2107 — Insufficiently Protected Credentials | cvebase