Impact
Jenkins FitNesse Plugin versions 1.36 and earlier store job passwords unencrypted in the controller’s config.xml files, which can be accessed by users with Extended Read permission or anyone with filesystem access. This exposes credential data to anyone who can read the job configuration files.
Affected Systems
The affected product is the Jenkins FitNesse Plugin for the Jenkins Project, specifically release 1.36 and earlier versions.
Risk and Exploitability
Because passwords are persisted in plain text, any user who can read job configuration files—either through the Extended Read privilege or by accessing the controller’s filesystem—can view the stored passwords. The CVSS score is 4.3. The EPSS score is not available and the issue is not listed in CISA KEV. Based on the description, it is inferred that the exposed passwords could be used to gain unauthorized access to services or systems that rely on those credentials.
OpenCVE Enrichment