CVE-2020-2232 – org.jenkins-ci.plugins:email-ext

Package

Manager: maven
Name: org.jenkins-ci.plugins:email-ext
Vulnerable Version: >=2.72 <2.74

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00047 pctl0.14051

Details

Jenkins Email Extension Plugin SMTP password transmitted and displayed in plain text Email Extension Plugin stores an SMTP password in its global configuration file `hudson.plugins.emailext.ExtendedEmailPublisher.xml` on the Jenkins controller as part of its configuration. While this password is stored encrypted on disk, it is transmitted and displayed in plain text as part of the configuration form by Email Extension Plugin 2.72 and 2.73. This can result in exposure of the password. Email Extension Plugin 2.74 transmits the SMTP password in its global configuration encrypted and masks it using a password field.

Metadata

Created: 2022-05-24T17:25:24Z
Modified: 2022-12-20T20:29:16Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5c4v-vh95-c67c/GHSA-5c4v-vh95-c67c.json
CWE IDs: ["CWE-319"]
Alternative ID: GHSA-5c4v-vh95-c67c
Finding: F017
Auto approve: 1