CVE-2020-2124
First published: Wed Feb 12 2020(Updated: )
Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Dynamic Extended Choice Parameter | <=1.0.1 | |
| maven/com.moded.extendedchoiceparameter:dynamic_extended_choice_parameter | <=1.0.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID?
The vulnerability ID is CVE-2020-2124.
How severe is CVE-2020-2124?
CVE-2020-2124 has a severity rating of 4.3 out of 10, which is considered medium.
What software is affected by CVE-2020-2124?
Jenkins Dynamic Extended Choice Parameter Plugin 1.0.1 and earlier versions are affected by CVE-2020-2124.
How does CVE-2020-2124 affect Jenkins?
CVE-2020-2124 allows the password to be stored unencrypted in job config.xml files, making it visible to users with Extended Read permission or access to the master file system.
How can the vulnerability in CVE-2020-2124 be mitigated?
To mitigate CVE-2020-2124, update to a version of Jenkins Dynamic Extended Choice Parameter Plugin that is not affected by the vulnerability.
- collector/nvd-index
- collector/nvd-api
- collector/github-advisory-latest
- alias/GHSA-h6pp-v4j6-w76c
- alias/CVE-2020-2124
- collector/nvd-cve
- vendor/jenkins
- product/dynamic extended choice parameter
- canonical/jenkins dynamic extended choice parameter
- package-manager/maven