Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
References
| Link | Resource |
|---|---|
| https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3555 | Vendor Advisory |
Configurations
History
26 Jun 2026, 19:05
| Type | Values Removed | Values Added |
|---|---|---|
| First Time |
Jenkins
Jenkins fitnesse |
|
| CPE | cpe:2.3:a:jenkins:fitnesse:*:*:*:*:*:jenkins:*:* | |
| References | () https://www.jenkins.io/security/advisory/2026-06-24/#SECURITY-3555 - Vendor Advisory |
24 Jun 2026, 16:16
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 4.3 |
| CWE | CWE-256 |
24 Jun 2026, 14:17
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-06-24 14:17
Updated : 2026-06-26 19:05
NVD link : CVE-2026-57302
Mitre link : CVE-2026-57302
CVE.ORG link : CVE-2026-57302
JSON object : View
Products Affected
jenkins
- fitnesse
CWE
CWE-256
Plaintext Storage of a Password
