CVE-2020-2154 – org.jenkins-ci.plugins:zephyr-for-jira-test-management

Package

Manager: maven
Name: org.jenkins-ci.plugins:zephyr-for-jira-test-management
Vulnerable Version: >=0 <=1.5

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00024 pctl0.04868

Details

Jenkins Zephyr for JIRA Test Management Plugin stores credentials in plain text Zephyr for JIRA Test Management Plugin 1.5 and earlier stores Jira credentials unencrypted in its global configuration file `com.thed.zephyr.jenkins.reporter.ZfjReporter.xml` on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system.

Metadata

Created: 2022-05-24T17:10:29Z
Modified: 2023-01-06T17:03:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-m365-98j8-w96w/GHSA-m365-98j8-w96w.json
CWE IDs: ["CWE-256", "CWE-312"]
Alternative ID: GHSA-m365-98j8-w96w
Finding: F020
Auto approve: 1