CVE-2020-2153 – org.jenkins-ci.plugins:backlog

Package

Manager: maven
Name: org.jenkins-ci.plugins:backlog
Vulnerable Version: >=0 <2.5

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00024 pctl0.0488

Details

Credentials transmitted in plain text by Backlog Plugin Backlog Plugin stores credentials in job `config.xml` files as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Backlog Plugin 2.4 and earlier. These credentials could be viewed by users with Extended Read permission.

Metadata

Created: 2022-05-24T17:10:29Z
Modified: 2023-01-14T05:25:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-p68c-xg89-2g5r/GHSA-p68c-xg89-2g5r.json
CWE IDs: ["CWE-319"]
Alternative ID: GHSA-p68c-xg89-2g5r
Finding: F017
Auto approve: 1