CVE Catalog

CVE-2026-57302

MediumCVSS 4.3
Published: Updated: Translated: NVD NIST

Exploitation Probability (EPSS)

Low risk
0.18%

8th percentile — higher than 8% of all known CVEs

Summary

Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Risk Assessment

The risk involves potential exposure of passwords stored in job configurations, which could lead to unauthorized access to external systems or privilege escalation within the Jenkins environment.

Recommendation

It is recommended to immediately update the FitNesse plugin to the latest available version and change all passwords that may have been stored in config.xml files. Also restrict Extended Read permissions and access to the controller file system.

Original NVD description (English source)

Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Vulnerability data from NVD (NIST) · CISA KEV · EPSS