CVE-2020-2119: 
Java vulnerability analysis and mitigation

CVE-2020-2119 affects the Microsoft Entra ID (previously Azure AD) Plugin for Jenkins, discovered and disclosed on February 12, 2020. This vulnerability impacts versions 1.1.2 and earlier of the plugin, which is used for Azure Active Directory integration with Jenkins (Jenkins Advisory).

The vulnerability is classified with a Low severity CVSS score. The issue stems from the plugin storing a client secret in its global configuration that, while encrypted at rest on disk, is transmitted in plain text as part of the configuration form. This implementation weakness could expose sensitive credentials through various attack vectors (Jenkins Advisory).

The vulnerability could result in exposure of the client secret credential through browser extensions, cross-site scripting vulnerabilities, and similar situations, potentially compromising the security of Azure AD integration (Jenkins Advisory).

The vulnerability was fixed in Microsoft Entra ID Plugin version 1.2.0, which implements encrypted transmission of the client secret in its global configuration. Users should upgrade to this version or later to address the security issue (Jenkins Advisory).

The vulnerability was reported by Joseph Petersen (@jetersen) and was addressed as part of a larger Jenkins security advisory that included multiple plugin vulnerabilities (Jenkins Advisory).