GitHub Advisory DatabaseGHSA-R32R-F6WR-CC3WPassword stored in plain text by Jenkins TestComplete support Plugin
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
22.0%
Jenkins TestComplete support Plugin prior to version 2.5.2 stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. Version 2.5.2 contains a patch for this issue.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| org.jenkins-ci.plugins | testcomplete | * | cpe:2.3:a:org.jenkins-ci.plugins:testcomplete:*:*:*:*:*:*:*:* |
References
www.openwall.com/lists/oss-security/2020/07/02/7
github.com/advisories/GHSA-r32r-f6wr-cc3w
github.com/jenkinsci/testcomplete-plugin/commit/00988873c6ea7e8d081380e4262538960efd6bf1
github.com/jenkinsci/testcomplete-plugin/commit/91dae11421b70a334d2058286e30402cf2f86d4b
github.com/jenkinsci/testcomplete-plugin/commit/ca783d3b6be28b13f82865afa6a8888795d57d10
jenkins.io/security/advisory/2020-07-02/#SECURITY-1686
nvd.nist.gov/vuln/detail/CVE-2020-2209
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
LOW
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS
Percentile
22.0%