CVE-2020-2213 — Credentials stored in plain text by Jenkins White Source Plugin

Description

White Source Plugin prior to version 20.8.1 stores credentials in plain text as part of its global configuration file `org.whitesource.jenkins.pipeline.WhiteSourcePipelineStep.xml` and job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission (in the case of job config.xml files) or access to the Jenkins controller file system. Version 20.8.1 contains a patch for the issue.

How to fix CVE-2020-2213

To remediate CVE-2020-2213, upgrade the affected package to a fixed version below.

—upgrade to 20.8.1 or later

Is CVE-2020-2213 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 20.8.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2213
PATCHgithub.com/jenkinsci/whitesource-plugin
WEBgithub.com/jenkinsci/whitesource-plugin/commit/4a9ee37246848c65cd41c5cf17d84992ffc6d21d
WEBjenkins.io/security/advisory/2020-07-02/#SECURITY-1630