CVE-2020-2291 — Password stored in plain text by Jenkins couchdb-statistics Plugin

Description

Jenkins couchdb-statistics Plugin 0.3 and earlier stores its server password unencrypted in its global configuration file `org.jenkinsci.plugins.couchstats.CouchStatsConfig.xml` on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system. couchdb-statistics Plugin 0.4 stores its server password encrypted once its configuration is saved again.

How to fix CVE-2020-2291

To remediate CVE-2020-2291, upgrade the affected package to a fixed version below.

—upgrade to 0.4 or later

Is CVE-2020-2291 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 0.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.3	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2291
PATCHgithub.com/jenkinsci/couchdb-statistics-plugin
WEBwww.jenkins.io/security/advisory/2020-10-08/#SECURITY-2065
WEBwww.openwall.com/lists/oss-security/2020/10/08/5