CVE-2020-2239: Secret stored in plain text by Jenkins Parameterized Remote Trigger Plugin
3.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.14665%
CWE
Published
5/24/2022
Updated
12/7/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:Parameterized-Remote-Trigger | maven | <= 3.1.3 | 3.1.4 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from handling authentication tokens as plain text strings instead of encrypted Secret objects. The commit diff shows critical changes: 1) TokenAuth
's apiToken
field changed from String
to Secret
type 2) getApiToken()
/setApiToken()
modified to handle Secrets
3) Auth.a2uth2ToAuth()
stopped using getApiToken()
.getPlainText()
. These functions directly handled credential storage/retrieval without encryption in vulnerable versions, matching CWE-256/311 descriptions of plaintext storage.