CVE-2020-2232 — Jenkins Email Extension Plugin SMTP password transmitted and displayed in plain

Description

Email Extension Plugin stores an SMTP password in its global configuration file `hudson.plugins.emailext.ExtendedEmailPublisher.xml` on the Jenkins controller as part of its configuration. While this password is stored encrypted on disk, it is transmitted and displayed in plain text as part of the configuration form by Email Extension Plugin 2.72 and 2.73. This can result in exposure of the password. Email Extension Plugin 2.74 transmits the SMTP password in its global configuration encrypted and masks it using a password field.

How to fix CVE-2020-2232

To remediate CVE-2020-2232, upgrade the affected package to a fixed version below.

—upgrade to 2.74 or later

Is CVE-2020-2232 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 2.72, < 2.74

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.7	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2232
PATCHgithub.com/jenkinsci/email-ext-plugin
WEBgithub.com/jenkinsci/email-ext-plugin/commit/b51497d044e36e950d698a79bb781ef4c83a251c
WEBjenkins.io/security/advisory/2020-08-12/#SECURITY-1975