CVE-2020-2145
Description
Jenkins Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores Zephyr password in plain text on the Jenkins master file system.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores Zephyr password in plain text on the Jenkins master file system.
Vulnerability
Description
The Jenkins Zephyr Enterprise Test Management Plugin up to version 1.9.1 stores the Zephyr password in plain text in the Jenkins master file system [1][2]. This occurs because the plugin does not encrypt the credential when persisting it to disk, leaving it accessible to any user with read access to the Jenkins master file system.
Exploitation and
Impact
An attacker with access to the Jenkins master file system (e.g., through a sandbox bypass or other vulnerabilities) can retrieve the Zephyr password in plain text [4]. This could lead to unauthorized access to the Zephyr Enterprise instance, enabling the attacker to view, modify, or delete test management data.
Mitigation
The issue has been fixed in Zephyr Enterprise Test Management Plugin version 1.10, which encrypts the stored password [1][2]. Users are strongly advised to upgrade to version 1.10 or later. No workaround is available.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:zephyr-enterprise-test-managementMaven | < 1.10 | 1.10 |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-xv58-gp43-6m76ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2145ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/03/09/1ghsamailing-listx_refsource_MLISTWEB
- jenkins.io/security/advisory/2020-03-09/ghsax_refsource_CONFIRMWEB
- plugins.jenkins.io/zephyr-enterprise-test-managementghsaPACKAGE
News mentions
1- Jenkins Security Advisory 2020-03-09Jenkins Security Advisories · Mar 9, 2020