CVE-2020-2129

Vulnerability

Overview

The Jenkins Eagle Tester Plugin, versions 1.0.9 and earlier, stores a password in plaintext within its global configuration file on the Jenkins master [1][3]. This file is readable by any user with access to the Jenkins master's file system, including those with only file system-level privileges rather than administrative Jenkins permissions.

Attack

Vector and Prerequisites

An attacker who gains access to the Jenkins master's file system—for example, through compromised credentials, another vulnerability, or direct server access—can retrieve the unencrypted password from the plugin's configuration file [1]. No authentication to Jenkins itself is required beyond file system read access, as the password is stored without any encryption or obfuscation.

Impact

Once an attacker obtains this password, they can use it to authenticate to any external service the plugin is configured to connect to, potentially compromising those systems [1]. The severity is considered medium (CVSS base score 5.0) due to the prerequisite of file system access, but the impact can be significant depending on the permissions of the exposed credentials.

Mitigation

Jenkins has released Eagle Tester Plugin version 1.0.10 which encrypts the stored password [1]. Users should update to this version or later. As of the advisory date, no workaround was provided; replacing the password in the configuration manual lacks encryption, so updating the plugin is the recommended remediation [1].