CVE-2020-2155

Vulnerability

Description

The Jenkins OpenShift Deployer Plugin up to version 1.2.0 transmits configured credentials in plain text as part of its global Jenkins configuration form. This means that when an administrator views the configuration page, the plugin fills in the password or other secret fields with their actual values rather than masking them, potentially exposing them to anyone with access to the Jenkins UI [1][2].

Exploitation and

Impact

An attacker who can view the global configuration page—for example, a user with Overall/Read permission or via a cross-site request forgery (CSRF) attack—could obtain cleartext credentials. Since the credentials are embedded directly in the HTML of the configuration form, they are also more likely to be inadvertently exposed through browser history, server logs, or other caching mechanisms [3]. The plugin's design for OpenShift v2 requires storing SSH keys and broker credentials, making the exposure particularly sensitive [4].

Mitigation

As of the advisory date (March 9, 2020), the vulnerability is acknowledged but no fixed version of the OpenShift Deployer Plugin has been released. The plugin is listed among those with unresolved security issues in the Jenkins security advisory [1][2]. Until a patch is available, users should restrict access to the Jenkins global configuration page and consider alternative deployment methods or plugin replacements.