CVE-2020-2124: 
Java vulnerability analysis and mitigation

CVE-2020-2124 affects the Jenkins Dynamic Extended Choice Parameter Plugin versions 1.0.1 and earlier. The vulnerability was discovered and disclosed on February 12, 2020, and was identified as a medium severity issue. The vulnerability affects the plugin's handling of Subversion passwords in job configuration files (Jenkins Advisory, NVD).

The vulnerability stems from the plugin storing Subversion passwords unencrypted in job config.xml files on the Jenkins controller. The issue has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability exposes sensitive credentials to unauthorized access. Users with Extended Read permission or those with access to the Jenkins controller file system can view the unencrypted Subversion passwords stored in the job config.xml files (Jenkins Advisory).

As of the advisory publication date, no fix was available for this vulnerability. Organizations using the affected versions of the Dynamic Extended Choice Parameter Plugin should carefully review and restrict access to both Extended Read permissions and the Jenkins controller file system (Jenkins Advisory).

The vulnerability was reported by James Holderness of IB Boost and was acknowledged in the Jenkins security advisory. The Jenkins project publicly disclosed the vulnerability as part of their regular security advisory process (Jenkins Advisory).