CVE-2020-2155: 
Java vulnerability analysis and mitigation

CVE-2020-2155 affects the Jenkins OpenShift Deployer Plugin versions 1.2.0 and earlier. The vulnerability was discovered and reported by James Holderness of IB Boost and was publicly disclosed on March 9, 2020. This security issue involves the transmission of credentials in plain text as part of the plugin's global Jenkins configuration form, despite being stored encrypted on disk (Jenkins Advisory, OSS Security).

The vulnerability exists in the OpenShift Deployer Plugin's handling of credentials in its global configuration file 'org.jenkinsci.plugins.openshift.DeployApplication.xml' on the Jenkins controller. While the credentials are stored in an encrypted format on disk, they are transmitted as plain text during configuration form operations. The severity of this vulnerability is rated as Low according to the CVSS scoring system (Jenkins Advisory).

The vulnerability can result in the exposure of credentials through various attack vectors, including browser extensions and cross-site scripting vulnerabilities. This exposure could potentially compromise the security of the Jenkins deployment and associated OpenShift resources (Jenkins Advisory).

As of the advisory publication date, no fix was available for this vulnerability in the OpenShift Deployer Plugin. Users should carefully consider the risk of credential exposure when using versions 1.2.0 and earlier of the plugin (Jenkins Advisory).