Description
Jenkins SoapUI Pro Functional Testing Plugin 1.3 and earlier stores project passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.
Remediation
References
http://www.openwall.com/lists/oss-security/2020/09/01/3
https://jenkins.io/security/advisory/2020-09-01/#SECURITY-1631%20%281%29
Related Vulnerabilities
CVE-2022-24881 Vulnerability in maven package com.hccake:ballcat-codegen
CVE-2019-20444 Vulnerability in maven package io.netty:netty-all
CVE-2019-1003072 Vulnerability in maven package org.jenkins-ci.plugins:wildfly-deployer
CVE-2020-7660 Vulnerability in maven package org.webjars.npm:serialize-javascript
CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-elasticsearch