CVE-2020-2149

Vulnerability

Description Jenkins Repository Connector Plugin versions 1.2.6 and earlier transmits configured credentials in plain text as part of its global Jenkins configuration form, potentially leading to their exposure [1][3]. The credentials are sent without encryption in the form submission, making them visible in network traffic or the page source.

Attack

Surface An attacker with access to network traffic between the user and the Jenkins server, or who can view the configuration page (e.g., through a browser's developer tools), could capture the credentials. No special authentication is required beyond viewing the configuration form, but only users with permission to access global configuration can see it.

Impact

Successful exploitation allows an attacker to obtain credentials stored in the plugin configuration, which could be used to access external repositories like Nexus or Artifactory, leading to unauthorized access to artifacts or deployment capabilities.

Mitigation

The vulnerability is fixed in Repository Connector Plugin version 2.0.0, which moves credential storage to the Credentials plugin [4]. Users should upgrade to the latest version. Those unable to upgrade should avoid storing sensitive credentials in the plugin configuration and ensure network traffic is encrypted (e.g., via HTTPS).