CVE-2020-2177
First published: Thu Apr 16 2020(Updated: )
Copr Plugin 0.3 and earlier stores credentials unencrypted in job `config.xml` files as part of its configuration. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system. Copr Plugin 0.6.1 stores these credentials encrypted. This change is effective once the job configuration is saved the next time.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Copr | <=0.3 | |
| maven/org.fedoraproject.jenkins.plugins:copr | <=0.3 | 0.6.1 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2020/04/16/4
- https://jenkins.io/security/advisory/2020-04-16/#SECURITY-1556
- https://nvd.nist.gov/vuln/detail/CVE-2020-2177
- https://github.com/jenkinsci/copr-plugin/commit/23ea581364d64645cd90d2c5d97a4b94781f61f9
- https://github.com/advisories/GHSA-4wx5-c723-xvwv (Advisory)
- collector/nvd-index
- collector/nvd-api
- collector/github-advisory-latest
- alias/GHSA-4wx5-c723-xvwv
- alias/CVE-2020-2177
- collector/nvd-cve
- collector/github-advisory
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/references
- agent/last-modified-date
- agent/author
- agent/description
- agent/first-publish-date
- agent/event
- agent/trending
- agent/tags
- agent/source
- vendor/jenkins
- canonical/jenkins copr
- version/jenkins copr/0.3
- package-manager/maven