Moderate severityNVD Advisory· Published Jan 15, 2020· Updated Aug 4, 2024
CVE-2020-2095
CVE-2020-2095
Description
Jenkins Redgate SQL Change Automation Plugin 2.0.4 and earlier stored an API key unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
com.redgate.plugins.redgatesqlci:redgate-sql-ciMaven | < 2.0.5 | 2.0.5 |
Affected products
1- Range: unspecified
Patches
1962f1770eeb1[SECURITY-1696] Encrypt NuGetAPI key
3 files changed · +18 −12
src/main/java/redgatesqlci/PublishBuilder.java+11 −5 modified@@ -8,6 +8,7 @@ import hudson.tasks.BuildStepDescriptor; import hudson.tasks.Builder; import hudson.util.FormValidation; +import hudson.util.Secret; import net.sf.json.JSONObject; import org.kohsuke.stapler.DataBoundConstructor; import org.kohsuke.stapler.QueryParameter; @@ -31,9 +32,13 @@ public String getNugetFeedUrl() { return nugetFeedUrl; } - private final String nugetFeedApiKey; + private Secret nugetFeedApiKey; - public String getNugetFeedApiKey() { + public void setNugetFeedApiKey(Secret nugetFeedApiKey) { + this.nugetFeedApiKey = nugetFeedApiKey; + } + + public Secret getNugetFeedApiKey() { return nugetFeedApiKey; } @@ -53,7 +58,7 @@ public SqlChangeAutomationVersionOption getSqlChangeAutomationVersionOption() { public PublishBuilder( final String packageid, final String nugetFeedUrl, - final String nugetFeedApiKey, + final Secret nugetFeedApiKey, final String packageVersion, final SqlChangeAutomationVersionOption sqlChangeAutomationVersionOption) { this.packageid = packageid; @@ -82,9 +87,10 @@ public boolean perform(final AbstractBuild build, final Launcher launcher, final params.add("-nugetFeedUrl"); params.add(getNugetFeedUrl()); - if (!getNugetFeedApiKey().isEmpty()) { + final String nugetKey = getNugetFeedApiKey().getPlainText(); + if (!nugetKey.isEmpty()) { params.add("-nugetFeedApiKey"); - params.add(getNugetFeedApiKey()); + params.add(nugetKey); } addProductVersionParameter(params, sqlChangeAutomationVersionOption);
src/main/java/redgatesqlci/SqlContinuousIntegrationBuilder.java+6 −6 modified@@ -82,19 +82,19 @@ private ProcStarter defineProcess( argumentsBuilder.add(scaRunnerLocation.getRemote()); argumentsBuilder.add("-Verbose"); - boolean foundTemporaryDatabasePassword = false; + boolean foundParameterToMask = false; for (String parameter : params) { - if (foundTemporaryDatabasePassword) { - foundTemporaryDatabasePassword = false; + if (foundParameterToMask) { + foundParameterToMask = false; argumentsBuilder.add(parameter, true); continue; } argumentsBuilder.add(parameter); - - if (parameter.contains("temporaryDatabasePassword")) { - foundTemporaryDatabasePassword = true; + + if (parameter.contains("temporaryDatabasePassword") || parameter.contains("nugetFeedApiKey")) { + foundParameterToMask = true; } }
src/main/resources/redgatesqlci/PublishBuilder/config.jelly+1 −1 modified@@ -17,7 +17,7 @@ <f:textbox/> </f:entry> <f:entry title="NuGet Feed API Key:" field="nugetFeedApiKey"> - <f:textbox/> + <f:password/> </f:entry> </f:section>
Vulnerability mechanics
Generated by null/stub on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
4- github.com/advisories/GHSA-x23m-8c2h-6wg7ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2095ghsaADVISORY
- github.com/jenkinsci/redgate-sql-ci-plugin/commit/962f1770eeb1f18dfac91d12461fa6db566e769eghsaWEB
- jenkins.io/security/advisory/2020-01-15/ghsax_refsource_CONFIRMWEB
News mentions
0No linked articles in our index yet.