CVE-2020-2153 — Credentials transmitted in plain text by Backlog Plugin

Description

Backlog Plugin stores credentials in job `config.xml` files as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Backlog Plugin 2.4 and earlier. These credentials could be viewed by users with Extended Read permission.

How to fix CVE-2020-2153

To remediate CVE-2020-2153, upgrade the affected package to a fixed version below.

—upgrade to 2.5 or later

Is CVE-2020-2153 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2153
PATCHgithub.com/jenkinsci/backlog-plugin
WEBgithub.com/jenkinsci/backlog-plugin/commit/43f513380226831ed914c85e1bfff1cda296bbf7
WEBjenkins.io/security/advisory/2020-03-09/#SECURITY-1510