Jenkins BMC Release Package and Deployment Plugin 1.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. As of publication of this advisory, there is no fix.

Affected Packages

Maven RPD:bmc-rpd

Affected versions: 0 (last affected: 1.1)

Related CVEs

CVE-2020-2127

Key Information

GHSA ID

GHSA-2j3r-x6xc-qqqj

Published

May 24, 2022 5:08 PM

Last Modified

January 9, 2023 7:46 PM

CVSS Score

2.5 /10

Primary Ecosystem

Maven

Primary Package

RPD:bmc-rpd

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.