CVE-2020-2274

Vulnerability

Overview CVE-2020-2274 describes a cleartext storage vulnerability in the Jenkins ElasTest Plugin, versions 1.2.1 and earlier. The plugin stores its server password unencrypted in the global configuration file (config.xml) on the Jenkins controller [1][3]. This violates security best practices by exposing sensitive credentials to anyone with filesystem access.

Exploitation and

Attack Surface An attacker needs only read access to the Jenkins controller's file system to retrieve the plaintext password. This could be a malicious Jenkins user with overall read permissions, or an external attacker who has already gained low-privilege access to the underlying operating system [2]. No additional authentication or network position is required beyond filesystem read capability.

Impact

A local attacker who obtains the ElasTest server password can use it to authenticate to the ElasTest service, potentially accessing testing logs and other data processed by the plugin [4]. Since the password is stored in cleartext without any encryption or obfuscation, the exposure is immediate and complete.

Mitigation

As of the September 16, 2020 Jenkins security advisory, no patch was available for the ElasTest Plugin [2]. The plugin was listed among unresolved issues, meaning users must manually implement workarounds, such as restricting filesystem access, using a dedicated service account with minimal privileges, or migrating to a different integration plugin.