CVE-2020-2250

Published: Sep 1, 2020Modified: Nov 21, 2024

6.5

Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Exploitability: 2.8 / Impact: 3.6

Source: NVD

Description

Jenkins SoapUI Pro Functional Testing Plugin 1.3 and earlier stores project passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.

Affected (1)

Products: Jenkins: Soapui Pro Functional Testing

1 product

Soapui Pro Functional Testing

Configuration A

1 vulnerable

Vulnerable Software	Affected Versions
Jenkins Soapui Pro Functional Testing	Up to 1.3

Related CWEs

Missing Encryption of Sensitive Data

The product does not encrypt sensitive or critical information before storage or transmission.

References (4)

http://www.openwall.com/lists/oss-security/2020/09/01/3

Source: jenkinsci-cert@googlegroups.com

Mailing ListThird Party Advisory

https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1631%20%281%29

Source: jenkinsci-cert@googlegroups.com

http://www.openwall.com/lists/oss-security/2020/09/01/3

Source: af854a3a-2127-422b-91ae-364da2661108

Mailing ListThird Party Advisory

https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1631%20%281%29

Source: af854a3a-2127-422b-91ae-364da2661108

Timeline

No history available yet.