CVE-2020-2198

CWE-522 — Insufficiently Protected Credentials6 documents6 sources

Severity

6.5MEDIUM

EPSS

0.0%

top 85.44%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Project Inheritance Plugin Jenkins Project Inheritance

Timeline

PublishedJun 3

Latest updateMay 24

Description

Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶CVEListV5jenkins_project/jenkins_project_inheritance_pluginunspecified — 19.08.02

▶NVDjenkins/project_inheritance19.08.02

▶Mavenhudson.plugins:project-inheritance21.04.03

🔴Vulnerability Details

OSV

Missing permission check in Jenkins Project Inheritance Plugin↗2022-05-24

▶

GHSA

Missing permission check in Jenkins Project Inheritance Plugin↗2022-05-24

▶

CVEList

CVE-2020-2198: Jenkins Project Inheritance Plugin 19↗2020-06-03

▶

💥Exploits & PoCs

Exploit-DB

Playable 9.18 iOS - Persistent Cross-Site Scripting↗2020-04-17

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2020-06-03↗2020-06-03

▶