Description
Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
Published: 2026-06-24
Score: 4.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Jenkins FitNesse Plugin versions 1.36 and earlier store job passwords unencrypted in the controller’s config.xml files, which can be accessed by users with Extended Read permission or anyone with filesystem access. This exposes credential data to anyone who can read the job configuration files.

Affected Systems

The affected product is the Jenkins FitNesse Plugin for the Jenkins Project, specifically release 1.36 and earlier versions.

Risk and Exploitability

Because passwords are persisted in plain text, any user who can read job configuration files—either through the Extended Read privilege or by accessing the controller’s filesystem—can view the stored passwords. The CVSS score is 4.3. The EPSS score is not available and the issue is not listed in CISA KEV. Based on the description, it is inferred that the exposed passwords could be used to gain unauthorized access to services or systems that rely on those credentials.

Generated by OpenCVE AI on June 24, 2026 at 17:50 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Jenkins FitNesse Plugin to the latest version which removes the insecure password storage or provides secure credential handling.
  • If an upgrade is not possible, edit the config.xml files to delete or encrypt any stored passwords and re-configure the plugin to avoid storing credentials in plain text.
  • Restrict the Extended Read permission to only trusted users and audit filesystem access rights to the Jenkins controller directories.

Generated by OpenCVE AI on June 24, 2026 at 17:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins Project
Jenkins Project jenkins Fitnesse Plugin
Vendors & Products Jenkins Project
Jenkins Project jenkins Fitnesse Plugin

Wed, 24 Jun 2026 18:15:00 +0000

Type Values Removed Values Added
Title Jenkins FitNesse Plugin Exposes Unencrypted Passwords in Config Files

Wed, 24 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Unencrypted Password Storage in Jenkins FitNesse Plugin
Weaknesses CWE-200
CWE-259

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-256
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Wed, 24 Jun 2026 15:00:00 +0000

Type Values Removed Values Added
Title Unencrypted Password Storage in Jenkins FitNesse Plugin
Weaknesses CWE-200
CWE-259

Wed, 24 Jun 2026 13:45:00 +0000

Type Values Removed Values Added
Description Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
References

Subscriptions

Jenkins Project Jenkins Fitnesse Plugin
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2026-06-24T14:28:27.756Z

Reserved: 2026-06-24T08:41:44.359Z

Link: CVE-2026-57302

cve-icon Vulnrichment

Updated: 2026-06-24T14:22:17.349Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:40:55Z

Weaknesses
  • CWE-256

    Plaintext Storage of a Password