Description
Jenkins SoapUI Pro Functional Testing Plugin 1.3 and earlier stores project passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.
Remediation
References
http://www.openwall.com/lists/oss-security/2020/09/01/3
https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1631%20%281%29
Related Vulnerabilities
CVE-2019-10296 Vulnerability in maven package com.urbancode.ds.jenkins.plugins:sra-deploy
CVE-2019-16777 Vulnerability in maven package org.webjars:npm
CVE-2020-25020 Vulnerability in maven package net.sf.mpxj:mpxj
CVE-2023-26143 Vulnerability in npm package blamer
CVE-2022-45935 Vulnerability in maven package org.apache.james:james-server-protocols-imap4