Description
Jenkins SoapUI Pro Functional Testing Plugin 1.3 and earlier stores project passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.
Remediation
References
http://www.openwall.com/lists/oss-security/2020/09/01/3
https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1631%20%281%29
Related Vulnerabilities
CVE-2020-36618 Vulnerability in npm package whois
CVE-2021-21342 Vulnerability in maven package com.thoughtworks.xstream:xstream
CVE-2019-10744 Vulnerability in maven package org.webjars.bowergithub.lodash:lodash
CVE-2015-8862 Vulnerability in maven package org.webjars.bower:mustache
CVE-2022-2047 Vulnerability in maven package org.eclipse.jetty:jetty-http