CVE-2020-2153: 
Java vulnerability analysis and mitigation

Jenkins Backlog Plugin version 2.4 and earlier contains a security vulnerability (CVE-2020-2153) discovered in March 2020. The plugin stores credentials in job config.xml files as part of its configuration. While these credentials are stored in encrypted form on disk, they are transmitted in plain text through configuration forms, potentially exposing them to users with Extended Read permission (Jenkins Advisory, OSS Security).

The vulnerability is classified as a low severity issue according to CVSS scoring. The core issue lies in the plugin's handling of credentials, where despite being stored encrypted on disk in job config.xml files, they are transmitted unencrypted during configuration form transmission. This implementation flaw could lead to credential exposure through various vectors including browser extensions and cross-site scripting vulnerabilities (Jenkins Advisory).

The primary impact of this vulnerability is the potential exposure of credentials to users who have Extended Read permission in Jenkins. The plain text transmission of credentials during configuration form handling makes them vulnerable to interception through browser extensions or exploitation via cross-site scripting vulnerabilities (Jenkins Advisory).

As of the advisory's publication date, no official fix was available for this vulnerability affecting Backlog Plugin versions 2.4 and earlier. Users should carefully consider the implications of using this plugin version and potentially restrict access to users with Extended Read permission (Jenkins Advisory).

The vulnerability was discovered and reported by James Holderness of IB Boost, demonstrating the active security research community's involvement in identifying Jenkins plugin vulnerabilities (Jenkins Advisory).