Moderate severityNVD Advisory· Published Apr 16, 2020· Updated Aug 4, 2024

CVE-2020-2177

Description

Jenkins Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files, exposing them to users with Extended Read or filesystem access.

Vulnerability

Description

CVE-2020-2177 in the Jenkins Copr Plugin (versions 0.3 and earlier) involves the insecure storage of credentials. The plugin stored credentials in plain text within job config.xml files on the Jenkins controller (master) [1][3]. This practice violates security best practices for credential management.

Exploitation and

Attack Surface

An attacker does not need to be an authenticated Jenkins administrator to exploit this vulnerability. Users who possess the Extended Read permission (a permission that allows viewing job configurations) can read the plaintext credentials directly from the job configuration [1][2]. Additionally, any user with access to the Jenkins controller's file system (for example, through a shell or other plugin) could read the config.xml files and extract the credentials [3]. No special privileges beyond standard job read rights or filesystem access are required.

Impact

The exposure of these unencrypted credentials could allow an attacker to access any external service that the Copr Plugin was configured to authenticate with. Since the Copr Plugin is used to build RPM packages using the Fedora Copr build service, the compromised credentials could be used to manipulate builds, access source code, or impact the integrity of the build process. The vulnerability is classified as Medium severity [3].

Mitigation

The Jenkins project released Copr Plugin version 0.6.1 which addresses the issue by encrypting stored credentials [2][3]. Users must update to this or any later version. The fix is effective once the job configuration is saved after the plugin update [3]. No workaround is provided for older versions; updating is the only remediation.

References

AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.fedoraproject.jenkins.plugins:coprMaven	< 0.6.1	0.6.1

Affected products

Jenkins Project/Copr Pluginllm-create
Range: <=0.3
ghsa-coords
pkg:maven/org.fedoraproject.jenkins.plugins/copr
Range: < 0.6.1
Jenkins Project/MATLAB Plugincpe-rescue
Range: unspecified

Patches

23ea581364d6

SECURITY-1556

https://github.com/jenkinsci/copr-pluginMichal SrbApr 3, 2020via ghsa

commit

1 file changed · +7 −6

src/main/java/org/fedoraproject/jenkins/plugins/copr/CoprPlugin.java+7 −6 modified

@@ -39,6 +39,7 @@
 import hudson.tasks.BatchFile;
 import hudson.tasks.Shell;
 import hudson.util.FormValidation;
+import hudson.util.Secret;
 
 import java.io.IOException;
 import java.net.MalformedURLException;
@@ -70,8 +71,8 @@ public class CoprPlugin extends Notifier {
     private final String coprname;
     private final String username;
     private final String srpm;
-    private final String apilogin;
-    private final String apitoken;
+    private final Secret apilogin;
+    private final Secret apitoken;
     private final String apiurl;
     private final String srpmscript;
     private final boolean prepareSrpm;
@@ -80,7 +81,7 @@ public class CoprPlugin extends Notifier {
 
     @DataBoundConstructor
     public CoprPlugin(String coprname, String username, String srpm,
-            String apilogin, String apitoken, String apiurl, String srpmscript,
+            Secret apilogin, Secret apitoken, String apiurl, String srpmscript,
             boolean prepareSrpm, String coprTimeout, boolean waitForCoprBuild) {
         this.coprname = coprname;
         this.username = username;
@@ -126,7 +127,7 @@ public boolean perform(AbstractBuild<?, ?> build, Launcher launcher,
         String srpmstr = env.expand(srpm);
         URL srpmurl = getSrpmUrl(srpmstr, build, listener);
 
-        CoprClient copr = new CoprClient(apiurl, apilogin, apitoken);
+        CoprClient copr = new CoprClient(apiurl, apilogin.getPlainText(), apitoken.getPlainText());
         CoprBuild coprBuild;
 
         String buildurl = apiurl
@@ -247,11 +248,11 @@ public String getSrpm() {
         return srpm;
     }
 
-    public String getApilogin() {
+    public Secret getApilogin() {
         return apilogin;
     }
 
-    public String getApitoken() {
+    public Secret getApitoken() {
         return apitoken;
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

github.com/advisories/GHSA-4wx5-c723-xvwvghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2020-2177ghsaADVISORY
www.openwall.com/lists/oss-security/2020/04/16/4ghsamailing-listx_refsource_MLISTWEB
github.com/jenkinsci/copr-plugin/commit/23ea581364d64645cd90d2c5d97a4b94781f61f9ghsaWEB
jenkins.io/security/advisory/2020-04-16/ghsax_refsource_CONFIRMWEB

News mentions

Jenkins Security Advisory 2020-04-16
Jenkins Security Advisories · Apr 16, 2020

cvss	0.260
epss	0.000
exploit	0.000
kev	0.000
patch	-0.070
ransomware	0.000