CVE-2020-2198

MEDIUM

Jenkins Project Inheritance - Insufficiently Protected Credentials

Title source: rule

Description

Jenkins Project Inheritance Plugin 19.08.02 and earlier does not redact encrypted secrets in the 'getConfigAsXML' API URL when transmitting job config.xml data to users without Job/Configure.

References (2)

[Mailing List, Third Party Advisory] http://www.openwall.com/lists/oss-security/2020/06/03/3

[Vendor Advisory] https://jenkins.io/security/advisory/2020-06-03/#SECURITY-1582

Scores

CVSS v3 6.5

EPSS 0.0005

EPSS Percentile 14.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Classification

CWE

CWE-522

Status published

Affected Products (2)

jenkins/project_inheritance < 19.08.02

hudson.plugins/project-inheritance Maven

Timeline

Published Jun 03, 2020

Tracked Since Feb 18, 2026