CVE-2014-2061 — Jenkin allows attackers to obtain passwords by reading the HTML source code

Description

The input control in PasswordParameterDefinition in Jenkins before 1.551 and LTS before 1.532.2 allows remote attackers to obtain passwords by reading the HTML source code, related to the default value.

How to fix CVE-2014-2061

To remediate CVE-2014-2061, upgrade the affected package to a fixed version below.

Maven/org.jenkins-ci.main:jenkins-core—upgrade to 1.551 or later

Is CVE-2014-2061 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 1.533, < 1.551

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2014-2061
PATCHgithub.com/jenkinsci/jenkins
WEBgithub.com/jenkinsci/jenkins/commit/bf539198564a1108b7b71a973bf7de963a6213ef
WEBwiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2014-02-14