CVE-2026-57302

Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
Configurations

Configuration 1 (hide)

cpe:2.3:a:jenkins:fitnesse:*:*:*:*:*:jenkins:*:*

History

26 Jun 2026, 19:05

Type Values Removed Values Added
First Time Jenkins
Jenkins fitnesse
CPE cpe:2.3:a:jenkins:fitnesse:*:*:*:*:*:jenkins:*:*
References () https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3555 - () https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3555 - Vendor Advisory

24 Jun 2026, 16:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 4.3
CWE CWE-256

24 Jun 2026, 14:17

Type Values Removed Values Added
New CVE

Information

Published : 2026-06-24 14:17

Updated : 2026-06-26 19:05


NVD link : CVE-2026-57302

Mitre link : CVE-2026-57302

CVE.ORG link : CVE-2026-57302


JSON object : View

Products Affected

jenkins

  • fitnesse
CWE
CWE-256

Plaintext Storage of a Password