CVE-2020-2119

Vulnerability

Analysis

CVE-2020-2119 affects the Jenkins Azure AD Plugin (now known as the Microsoft Entra ID Plugin). In versions 1.1.2 and earlier, the plugin transmits configured credentials—such as client secrets and certificates—in plain text as part of the global Jenkins configuration form [1][3]. This means that when an administrator views or saves the configuration page, the sensitive credential values are sent unencrypted over the network and may be displayed in the form fields, making them visible to anyone who can access that page.

Exploitation

Exploitation requires an attacker to have access to the Jenkins configuration form, typically granted to users with Overall/Administer or equivalent permissions. However, the exposure occurs every time the configuration UI is rendered, potentially allowing a malicious administrator or an attacker who has gained limited access to the Jenkins web interface to intercept or view the plaintext credentials [2]. The credential information is transmitted in the HTTP response and may also be logged or cached improperly.

Impact

Successful exposure of the Azure AD credentials could allow an attacker to authenticate as the Jenkins application to Microsoft Entra ID (Azure AD), potentially accessing or modifying directory data, impersonating users, or obtaining further access to connected Azure resources that rely on those credentials [4]. The severity is considered medium, as the attack requires some level of administrative access but the credentials are highly sensitive.

Mitigation

The vulnerability is fixed in Azure AD Plugin version 1.2.0, which was released on 2020-02-12 as part of a Jenkins security advisory [1][2]. Users should upgrade to version 1.2.0 or later immediately. No workarounds are provided; updating the plugin is the only mitigation.