Description
Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Jenkins FitNesse Plugin versions 1.36 and earlier store job passwords unencrypted in the controller’s config.xml files. Users with Extended Read permission or those who can read the controller’s file compromising authentication data and allowing an attacker to impersonate legitimate services or users.

Affected Systems

The affected product is the Jenkins FitNesse Plugin for the Jenkins Project, specifically release 1.36 and earlier versions.

Risk and Exploitability

Because the data is persisted in clear text, any user who can read job configuration files—either through the Extended Read privilege or by accessing the controller’s filesystem—can exploit the vulnerability. The CVSS score is 4.3. The EPSS score is not available and the issue is not listed in CISA KEV, yet the potential impact of credential exposure is high and requires immediate attention.

Generated by OpenCVE AI on June 24, 2026 at 16:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jenkins FitNesse Plugin to the latest version which removes the insecure password storage or provides secure credential handling.
  • If an upgrade is not possible, edit the config.xml files to delete or encrypt any stored passwords and re‑configure the plugin to avoid storing credentials in plain text.
  • Restrict the Extended Read permission to only trusted users and audit filesystem access rights to the Jenkins controller directories.

Generated by OpenCVE AI on June 24, 2026 at 16:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Unencrypted Password Storage in Jenkins FitNesse Plugin
Weaknesses CWE-200
CWE-259

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-256
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Unencrypted Password Storage in Jenkins FitNesse Plugin
Weaknesses CWE-200
CWE-259

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T14:28:27.756Z

Reserved: 2026-06-24T08:41:44.359Z

Link: CVE-2026-57302

cve-icon Vulnrichment

Updated: 2026-06-24T14:22:17.349Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T16:30:06Z

Weaknesses
  • CWE-256

    Plaintext Storage of a Password