Description
Jenkins ElasTest Plugin 1.2.1 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.
Remediation
References
https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-2014
http://www.openwall.com/lists/oss-security/2020/09/16/3
Related Vulnerabilities
CVE-2023-49653 Vulnerability in maven package org.jenkins-ci.plugins:jira
CVE-2020-16013 Vulnerability in npm package electron
CVE-2021-39177 Vulnerability in maven package org.geysermc:connector
CVE-2022-43435 Vulnerability in maven package org.jenkins-ci.plugins.plugin:fireline
CVE-2019-10241 Vulnerability in maven package org.eclipse.jetty.aggregate:jetty-all