VYPR
← All advisories
Low severityNVD Advisory· Published Mar 9, 2020· Updated Aug 4, 2024

CVE-2020-2143

CVE-2020-2143

Description

Jenkins Logstash Plugin 2.3.1 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:logstashMaven
< 2.3.22.3.2

Affected products

1

Patches

1
b42d5c116473

[SECURITY-1516]

https://github.com/jenkinsci/logstash-pluginDaniel BeckMar 4, 2020via ghsa
commit
8 files changed · +35 31
  • src/main/java/jenkins/plugins/logstash/configuration/ElasticSearch.java+5 5 modified
    @@ -91,15 +91,15 @@ public void setUsername(String username)
     this.username = username;
   }
 
-  public String getPassword()
+  public Secret getPassword()
   {
-    return Secret.toString(password);
+    return password;
   }
 
   @DataBoundSetter
-  public void setPassword(String password)
+  public void setPassword(Secret password)
   {
-    this.password = Secret.fromString(password);
+    this.password = password;
   }
 
   @DataBoundSetter
@@ -132,7 +132,7 @@ public boolean equals(Object obj)
     if (getClass() != obj.getClass())
       return false;
     ElasticSearch other = (ElasticSearch) obj;
-    if (!Secret.toString(password).equals(other.getPassword()))
+    if (!Secret.toString(password).equals(other.getPassword().getPlainText()))
     {
       return false;
     }
  • src/main/java/jenkins/plugins/logstash/configuration/RabbitMq.java+5 5 modified
    @@ -104,15 +104,15 @@ public void setUsername(String username)
     this.username = username;
   }
 
-  public String getPassword()
+  public Secret getPassword()
   {
-    return Secret.toString(password);
+    return password;
   }
 
   @DataBoundSetter
-  public void setPassword(String password)
+  public void setPassword(Secret password)
   {
-    this.password = Secret.fromString(password);
+    this.password = password;
   }
 
   @Override
@@ -125,7 +125,7 @@ public boolean equals(Object obj)
     if (getClass() != obj.getClass())
       return false;
     RabbitMq other = (RabbitMq) obj;
-    if (!Secret.toString(password).equals(other.getPassword()))
+    if (!Secret.toString(password).equals(other.getPassword().getPlainText()))
     {
       return false;
     }
  • src/main/java/jenkins/plugins/logstash/configuration/Redis.java+5 5 modified
    @@ -34,15 +34,15 @@ public void setKey(String key)
     this.key = key;
   }
 
-  public String getPassword()
+  public Secret getPassword()
   {
-    return Secret.toString(password);
+    return password;
   }
 
   @DataBoundSetter
-  public void setPassword(String password)
+  public void setPassword(Secret password)
   {
-    this.password = Secret.fromString(password);
+    this.password = password;
   }
 
   @Override
@@ -55,7 +55,7 @@ public boolean equals(Object obj)
     if (getClass() != obj.getClass())
       return false;
     Redis other = (Redis) obj;
-    if (!Secret.toString(password).equals(other.getPassword()))
+    if (!Secret.toString(password).equals(other.getPassword().getPlainText()))
     {
       return false;
     }
  • src/main/java/jenkins/plugins/logstash/LogstashConfiguration.java+4 3 modified
    @@ -9,6 +9,7 @@
 
 import javax.annotation.CheckForNull;
 
+import hudson.util.Secret;
 import org.kohsuke.stapler.StaplerRequest;
 
 import com.cloudbees.syslog.MessageFormat;
@@ -162,7 +163,7 @@ public void migrateData()
             redis.setHost(descriptor.getHost());
             redis.setPort(descriptor.getPort());
             redis.setKey(descriptor.getKey());
-            redis.setPassword(descriptor.getPassword());
+            redis.setPassword(Secret.fromString(descriptor.getPassword()));
             logstashIndexer = redis;
             enabled = true;
             break;
@@ -177,7 +178,7 @@ public void migrateData()
               ElasticSearch es = new ElasticSearch();
               es.setUri(uri);
               es.setUsername(descriptor.getUsername());
-              es.setPassword(descriptor.getPassword());
+              es.setPassword(Secret.fromString(descriptor.getPassword()));
               logstashIndexer = es;
               enabled = true;
             }
@@ -194,7 +195,7 @@ public void migrateData()
             rabbitMq.setPort(descriptor.getPort());
             rabbitMq.setQueue(descriptor.getKey());
             rabbitMq.setUsername(descriptor.getUsername());
-            rabbitMq.setPassword(descriptor.getPassword());
+            rabbitMq.setPassword(Secret.fromString(descriptor.getPassword()));
             logstashIndexer = rabbitMq;
             enabled = true;
             break;
  • src/test/java/jenkins/plugins/logstash/configuration/ElasticSearchTest.java+4 3 modified
    @@ -7,6 +7,7 @@
 import java.net.URISyntaxException;
 import java.net.URL;
 
+import hudson.util.Secret;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
@@ -27,13 +28,13 @@ public void setup() throws MalformedURLException, URISyntaxException
     URL url = new URL("http://localhost:4567/key");
     indexer = new ElasticSearch();
     indexer.setUri(url);
-    indexer.setPassword("password");
+    indexer.setPassword(Secret.fromString("password"));
     indexer.setUsername("user");
     indexer.setMimeType("application/json");
 
     indexer2 = new ElasticSearch();
     indexer2.setUri(url);
-    indexer2.setPassword("password");
+    indexer2.setPassword(Secret.fromString("password"));
     indexer2.setUsername("user");
     indexer2.setMimeType("application/json");
 }
@@ -47,7 +48,7 @@ public void sameSettingsAreEqual()
   @Test
   public void passwordChangeIsNotEqual()
   {
-    indexer.setPassword("newPassword");
+    indexer.setPassword(Secret.fromString("newPassword"));
     assertThat(indexer.equals(indexer2), is(false));
   }
  • src/test/java/jenkins/plugins/logstash/configuration/RabbitMqTest.java+5 4 modified
    @@ -7,6 +7,7 @@
 import java.io.File;
 import java.nio.charset.Charset;
 
+import hudson.util.Secret;
 import org.hamcrest.core.IsInstanceOf;
 import org.junit.Before;
 import org.junit.Rule;
@@ -34,23 +35,23 @@ public void setup()
     indexer = new RabbitMq("UTF-8");
     indexer.setHost("localhost");
     indexer.setPort(4567);
-    indexer.setPassword("password");
+    indexer.setPassword(Secret.fromString("password"));
     indexer.setUsername("user");
     indexer.setQueue("queue");
     indexer.setVirtualHost("vhost");
 
     indexer2 = new RabbitMq("UTF-8");
     indexer2.setHost("localhost");
     indexer2.setPort(4567);
-    indexer2.setPassword("password");
+    indexer2.setPassword(Secret.fromString("password"));
     indexer2.setUsername("user");
     indexer2.setQueue("queue");
     indexer2.setVirtualHost("vhost");
 
     indexer3 = new RabbitMq("UTF-16");
     indexer3.setHost("localhost");
     indexer3.setPort(4567);
-    indexer3.setPassword("password");
+    indexer3.setPassword(Secret.fromString("password"));
     indexer3.setUsername("user");
     indexer3.setQueue("queue");
     indexer3.setQueue("vhost");
@@ -65,7 +66,7 @@ public void sameSettingsAreEqual()
   @Test
   public void passwordChangeIsNotEqual()
   {
-    indexer.setPassword("newPassword");
+    indexer.setPassword(Secret.fromString("newPassword"));
     assertThat(indexer.equals(indexer2), is(false));
   }
  • src/test/java/jenkins/plugins/logstash/configuration/RedisTest.java+4 3 modified
    @@ -3,6 +3,7 @@
 import static org.hamcrest.Matchers.is;
 import static org.junit.Assert.assertThat;
 
+import hudson.util.Secret;
 import org.junit.Before;
 import org.junit.Rule;
 import org.junit.Test;
@@ -24,13 +25,13 @@ public void setup()
     indexer.setHost("localhost");
     indexer.setPort(4567);
     indexer.setKey("key");
-    indexer.setPassword("password");
+    indexer.setPassword(Secret.fromString("password"));
 
     indexer2 = new Redis();
     indexer2.setHost("localhost");
     indexer2.setPort(4567);
     indexer2.setKey("key");
-    indexer2.setPassword("password");
+    indexer2.setPassword(Secret.fromString("password"));
 }
 
   @Test
@@ -42,7 +43,7 @@ public void sameSettingsAreEqual()
   @Test
   public void passwordChangeIsNotEqual()
   {
-    indexer.setPassword("newPassword");
+    indexer.setPassword(Secret.fromString("newPassword"));
     assertThat(indexer.equals(indexer2), is(false));
   }
  • src/test/java/jenkins/plugins/logstash/LogstashConfigurationMigrationTest.java+3 3 modified
    @@ -82,7 +82,7 @@ public void redisMigration()
     assertThat(redis.getHost(),equalTo("localhost"));
     assertThat(redis.getPort(),is(4567));
     assertThat(redis.getKey(), equalTo("logstash"));
-    assertThat(redis.getPassword(), equalTo("pwd"));
+    assertThat(redis.getPassword().getPlainText(), equalTo("pwd"));
   }
 
   @Test
@@ -130,7 +130,7 @@ public void elasticSearchMigration() throws URISyntaxException, MalformedURLExce
     ElasticSearch es = (ElasticSearch) indexer;
     URI uri = new URI("http://localhost:4567/logstash");
     assertThat(es.getUri(),equalTo(uri));
-    assertThat(es.getPassword(), equalTo("pwd"));
+    assertThat(es.getPassword().getPlainText(), equalTo("pwd"));
     assertThat(es.getUsername(), equalTo("user"));
   }
 
@@ -147,7 +147,7 @@ public void rabbitMqMigration()
     assertThat(es.getHost(),equalTo("localhost"));
     assertThat(es.getPort(),is(4567));
     assertThat(es.getQueue(), equalTo("logstash"));
-    assertThat(es.getPassword(), equalTo("pwd"));
+    assertThat(es.getPassword().getPlainText(), equalTo("pwd"));
     assertThat(es.getUsername(), equalTo("user"));
   }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

5

News mentions

1