CVE-2020-2312 — Password written to the build log by Jenkins SQLPlus Script Runner Plugin

Description

Jenkins SQLPlus Script Runner Plugin 2.0.12 and earlier prints the `sqlplus` command invocation to the build logs. This log message does not redact a password provided as part of a command line argument. This password can be viewed by users with Item/Read permission. Jenkins SQLPlus Script Runner Plugin 2.0.13 no longer prints the password in the build logs.

How to fix CVE-2020-2312

To remediate CVE-2020-2312, upgrade the affected package to a fixed version below.

—upgrade to 2.0.13 or later

Is CVE-2020-2312 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.0.13

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2312
PATCHgithub.com/jenkinsci/sqlplus-script-runner-plugin
WEBwww.jenkins.io/security/advisory/2020-11-04/#SECURITY-2129