CVE-2020-2239 — Secret stored in plain text by Jenkins Parameterized Remote Trigger Plugin

Description

Parameterized Remote Trigger Plugin 3.1.3 and earlier stores a secret unencrypted in its global configuration file `org.jenkinsci.plugins.ParameterizedRemoteTrigger.RemoteBuildConfiguration.xml` on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system. Parameterized Remote Trigger Plugin 3.1.4 stores the secret encrypted once its configuration is saved again.

How to fix CVE-2020-2239

To remediate CVE-2020-2239, upgrade the affected package to a fixed version below.

—upgrade to 3.1.4 or later

Is CVE-2020-2239 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.1.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.3	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2239
PATCHgithub.com/jenkinsci/parameterized-remote-trigger-plugin
WEBgithub.com/jenkinsci/parameterized-remote-trigger-plugin/commit/2902ef5ea6eb077f43fd25c880e4920faea4e828
WEBjenkins.io/security/advisory/2020-09-01/#SECURITY-1625