CVE-2020-2297

Jenkins SMS Notification Plugin 1.2 and earlier stores an access token unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Published: Oct 8, 2020
Updated: Oct 26, 2023
CVE: CVE-2020-2297
GHSA: GHSA-vwfv-qpw8-83c7
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 3.3
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v2:

Severity: Low
Score: 2.1
AV:L/AC:L/Au:N/C:P/I:N/A:N

CWEs:

CWE-522

OWASP TOP 10:

A2 - Broken Authentication

Affected Software
References

Software	From	Fixed in
jenkins / sms_notification	-	1.2.x
com.hoiio.jenkins / sms	-	1.2.x

http://www.openwall.com/lists/oss-security/2020/10/08/5
https://www.jenkins.io/security/advisory/2020-10-08/#SECURITY-2054

Vulnerability Database

289,782

CVE-2020-2297