ReadyAPI Functional Testing Plugin 1.3 and earlier stores project passwords unencrypted in job `config.xml` files as part of its configuration. These project passwords can be viewed by attackers with Extended Read permission or access to the Jenkins controller file system.

ReadyAPI Functional Testing Plugin 1.4 stores project passwords encrypted once affected job configurations are saved again.

Affected Packages

Maven org.jenkins-ci.plugins:soapui-pro-functional-testing

Affected versions: 0 (fixed in 1.4)

Related CVEs

CVE-2020-2250

Key Information

GHSA ID

GHSA-ccwp-633j-g29v

Published

May 24, 2022 5:27 PM

Last Modified

December 20, 2022 10:10 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:soapui-pro-functional-testing

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.