CVE-2020-2239 — Secret stored in plain text by Jenkins Parameterized Remote Trigger Plugin

描述

Parameterized Remote Trigger Plugin 3.1.3 and earlier stores a secret unencrypted in its global configuration file `org.jenkinsci.plugins.ParameterizedRemoteTrigger.RemoteBuildConfiguration.xml` on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system. Parameterized Remote Trigger Plugin 3.1.4 stores the secret encrypted once its configuration is saved again.

如何修補 CVE-2020-2239

要修補 CVE-2020-2239,請將受影響套件升級到下列已修補版本。

—升級至 3.1.4 或更新版本

CVE-2020-2239 正在被利用嗎?

低 — EPSS 為 0.0%,目前沒有觀察到大規模利用活動。

受影響套件(1)

from 0, < 3.1.4

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	LOW3.3	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

參考連結(5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2239
PATCHgithub.com/jenkinsci/parameterized-remote-trigger-plugin
WEBgithub.com/jenkinsci/parameterized-remote-trigger-plugin/commit/2902ef5ea6eb077f43fd25c880e4920faea4e828
WEBjenkins.io/security/advisory/2020-09-01/#SECURITY-1625