CVE-2020-2177 – org.fedoraproject.jenkins.plugins:copr

Package

Manager: maven
Name: org.fedoraproject.jenkins.plugins:copr
Vulnerable Version: >=0 <0.6.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00024 pctl0.04897

Details

Credentials stored in plain text by Jenkins Copr Plugin Copr Plugin 0.3 and earlier stores credentials unencrypted in job `config.xml` files as part of its configuration. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system. Copr Plugin 0.6.1 stores these credentials encrypted. This change is effective once the job configuration is saved the next time.

Metadata

Created: 2022-05-24T17:15:35Z
Modified: 2022-12-16T23:00:33Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4wx5-c723-xvwv/GHSA-4wx5-c723-xvwv.json
CWE IDs: ["CWE-256", "CWE-312"]
Alternative ID: GHSA-4wx5-c723-xvwv
Finding: F020
Auto approve: 1