Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS00d3g1LWM3MjMteHZ3ds4AAkZv

Credentials stored in plain text by Jenkins Copr Plugin

Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files as part of its configuration. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Copr Plugin 0.6.1 stores these credentials encrypted. This change is effective once the job configuration is saved the next time.

Permalink: https://github.com/advisories/GHSA-4wx5-c723-xvwv
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS00d3g1LWM3MjMteHZ3ds4AAkZv
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: 12 months ago


CVSS Score: 4.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Percentage: 0.00054
EPSS Percentile: 0.23527

Identifiers: GHSA-4wx5-c723-xvwv, CVE-2020-2177
References: Repository: https://github.com/jenkinsci/copr-plugin
Blast Radius: 1.0

Affected Packages

maven:org.fedoraproject.jenkins.plugins:copr
Affected Version Ranges: <= 0.3
Fixed in: 0.6.1