Parameterized Remote Trigger Plugin 3.1.3 and earlier stores a secret unencrypted in its global configuration file `org.jenkinsci.plugins.ParameterizedRemoteTrigger.RemoteBuildConfiguration.xml` on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system.

Parameterized Remote Trigger Plugin 3.1.4 stores the secret encrypted once its configuration is saved again.

Affected Packages

Maven org.jenkins-ci.plugins:Parameterized-Remote-Trigger

Affected versions: 0 (fixed in 3.1.4)

Related CVEs

CVE-2020-2239

Key Information

GHSA ID

GHSA-wphq-j78p-fhgp

Published

May 24, 2022 5:27 PM

Last Modified

December 21, 2022 12:21 AM

CVSS Score

2.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:Parameterized-Remote-Trigger

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 27, 2025 6:31 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.