CVE-2020-2153
First published: Mon Mar 09 2020(Updated: )
Backlog Plugin stores credentials in job `config.xml` files as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Backlog Plugin 2.4 and earlier. These credentials could be viewed by users with Extended Read permission.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Backlog | <=2.4 | |
| maven/org.jenkins-ci.plugins:backlog | <2.5 | 2.5 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2020/03/09/1
- https://jenkins.io/security/advisory/2020-03-09/#SECURITY-1510
- https://nvd.nist.gov/vuln/detail/CVE-2020-2153
- https://github.com/jenkinsci/backlog-plugin/commit/43f513380226831ed914c85e1bfff1cda296bbf7
- https://github.com/advisories/GHSA-p68c-xg89-2g5r (Advisory)
- collector/nvd-index
- collector/nvd-api
- collector/github-advisory-latest
- alias/GHSA-p68c-xg89-2g5r
- alias/CVE-2020-2153
- collector/nvd-cve
- collector/github-advisory
- agent/type
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/last-modified-date
- agent/weakness
- agent/author
- agent/softwarecombine
- agent/description
- agent/first-publish-date
- agent/event
- agent/trending
- agent/tags
- agent/source
- vendor/jenkins
- canonical/jenkins backlog
- version/jenkins backlog/2.4
- package-manager/maven