CVE-2020-2151: 
Java vulnerability analysis and mitigation

CVE-2020-2151 affects the Jenkins Quality Gates Plugin versions 2.5 and earlier. The vulnerability was discovered and disclosed on March 9, 2020. The issue involves the plugin storing credentials in its global configuration file quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins controller, where credentials are transmitted in plain text as part of the configuration form despite being stored encrypted on disk (Jenkins Advisory, OSS Security).

The vulnerability has a CVSS v3.1 Base Score of 5.3 (MEDIUM) with vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N. The core issue relates to the transmission of credentials in plain text during form configuration, even though these credentials are properly encrypted when stored on disk. This vulnerability is classified as CWE-319 (Cleartext Transmission of Sensitive Information) (NVD).

The exposure of credentials in plain text during form configuration can result in credential exposure through various attack vectors including browser extensions and cross-site scripting vulnerabilities. This potentially allows attackers to capture sensitive authentication information transmitted during Jenkins configuration processes (Jenkins Advisory).

As of the advisory publication date, no fix was available for this vulnerability. Users of the Quality Gates Plugin should be aware of the risks associated with credential transmission during configuration form submission and consider implementing additional security controls to protect sensitive data in transit (Jenkins Advisory).