CVE-2020-2143 — Credentials transmitted in plain text by Jenkins Logstash Plugin

Description

Logstash Plugin stores credentials in its global configuration file `jenkins.plugins.logstash.LogstashConfiguration.xml` on the Jenkins controller as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Logstash Plugin 2.3.1 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations. Logstash Plugin 2.3.2 transmits the credentials in its global configuration encrypted.

How to fix CVE-2020-2143

To remediate CVE-2020-2143, upgrade the affected package to a fixed version below.

—upgrade to 2.3.2 or later

Is CVE-2020-2143 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.3.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2143
PATCHgithub.com/jenkinsci/logstash-plugin
WEBgithub.com/jenkinsci/logstash-plugin/commit/b42d5c116473d11c79ebd2ff24e2643b9bce14d6
WEBjenkins.io/security/advisory/2020-03-09/#SECURITY-1516