Vulnerability Description
Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure.
CVSS Score
6.5
MEDIUM
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Project Inheritance | <= 19.08.02 |
Related Weaknesses (CWE)
References
- http://www.openwall.com/lists/oss-security/2020/06/03/3Mailing ListThird Party Advisory
- https://jenkins.io/security/advisory/2020-06-03/#SECURITY-1582Vendor Advisory
- http://www.openwall.com/lists/oss-security/2020/06/03/3Mailing ListThird Party Advisory
- https://jenkins.io/security/advisory/2020-06-03/#SECURITY-1582Vendor Advisory
FAQ
What is CVE-2020-2198?
CVE-2020-2198 is a vulnerability with a CVSS score of 6.5 (MEDIUM). Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure.
How severe is CVE-2020-2198?
CVE-2020-2198 has been rated MEDIUM with a CVSS base score of 6.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2020-2198?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Project Inheritance.