CVE-2020-2177 — Credentials stored in plain text by Jenkins Copr Plugin

描述

Copr Plugin 0.3 and earlier stores credentials unencrypted in job `config.xml` files as part of its configuration. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system. Copr Plugin 0.6.1 stores these credentials encrypted. This change is effective once the job configuration is saved the next time.

如何修補 CVE-2020-2177

要修補 CVE-2020-2177,請將受影響套件升級到下列已修補版本。

—升級至 0.6.1 或更新版本

CVE-2020-2177 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 0.6.1

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

參考連結(5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2177
PATCHgithub.com/jenkinsci/copr-plugin
WEBgithub.com/jenkinsci/copr-plugin/commit/23ea581364d64645cd90d2c5d97a4b94781f61f9
WEBjenkins.io/security/advisory/2020-04-16/#SECURITY-1556