CVE-2020-2177 — Credentials stored in plain text by Jenkins Copr Plugin

Description

Copr Plugin 0.3 and earlier stores credentials unencrypted in job `config.xml` files as part of its configuration. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system. Copr Plugin 0.6.1 stores these credentials encrypted. This change is effective once the job configuration is saved the next time.

How to fix CVE-2020-2177

To remediate CVE-2020-2177, upgrade the affected package to a fixed version below.

—upgrade to 0.6.1 or later

Is CVE-2020-2177 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.6.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2177
PATCHgithub.com/jenkinsci/copr-plugin
WEBgithub.com/jenkinsci/copr-plugin/commit/23ea581364d64645cd90d2c5d97a4b94781f61f9
WEBjenkins.io/security/advisory/2020-04-16/#SECURITY-1556