tfs Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file `hudson.plugins.tfs.TeamPluginGlobalConfig.xml` on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system.

Affected Packages

Maven org.jenkins-ci.plugins:tfs

Affected versions: 0 (last affected: 5.157.1)

Related CVEs

CVE-2020-2249

Key Information

GHSA ID

GHSA-w6c2-jrhh-jrxg

Published

May 24, 2022 5:27 PM

Last Modified

December 20, 2022 10:39 PM

CVSS Score

2.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:tfs

GitHub Reviewed

✓ Yes

Dataset

Last updated: July 5, 2025 6:26 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.