Stored API Key Vulnerability in Jenkins Redgate SQL Change Automation Plugin
CVE-2020-2095

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Redgate Sql Change Automation Plugin
Vendor: CVE Published:; 15 January 2020

Summary

The Jenkins Redgate SQL Change Automation Plugin prior to version 2.0.4 possesses a vulnerability where it stores API keys in an unencrypted format within job configuration files on the Jenkins master. This insecure storage allows users with Extended Read permission, or direct access to the master file system, to view these sensitive API keys, potentially leading to unauthorized access and exploitation of the Jenkins environment. It's crucial for users to upgrade to a secure version to mitigate this risk.

Affected Version(s)

Jenkins Redgate SQL Change Automation Plugin <= 2.0.4

References

https://jenkins.io/security/advisory/2020-01-15/#SECURITY...

x_refsource_CONFIRM

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 15, 2020
Vulnerability Reserved
Dec 5, 2019