Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS00d3g1LWM3MjMteHZ3ds4AAkZv
Credentials stored in plain text by Jenkins Copr Plugin
Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml
files as part of its configuration. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
Copr Plugin 0.6.1 stores these credentials encrypted. This change is effective once the job configuration is saved the next time.
Permalink: https://github.com/advisories/GHSA-4wx5-c723-xvwvJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00d3g1LWM3MjMteHZ3ds4AAkZv
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 12 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Percentage: 0.00054
EPSS Percentile: 0.23527
Identifiers: GHSA-4wx5-c723-xvwv, CVE-2020-2177
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2177
- https://jenkins.io/security/advisory/2020-04-16/#SECURITY-1556
- http://www.openwall.com/lists/oss-security/2020/04/16/4
- https://github.com/jenkinsci/copr-plugin/commit/23ea581364d64645cd90d2c5d97a4b94781f61f9
- https://github.com/advisories/GHSA-4wx5-c723-xvwv
Blast Radius: 1.0
Affected Packages
maven:org.fedoraproject.jenkins.plugins:copr
Affected Version Ranges: <= 0.3Fixed in: 0.6.1