CVE-2026-57302
Summary
| CVE | CVE-2026-57302 |
|---|---|
| State | PUBLISHED |
| Assigner | jenkins |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-06-24 14:17:36 UTC |
| Updated | 2026-06-24 16:16:35 UTC |
| Description | Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system. |
Risk And Classification
Primary CVSS: v3.1 4.3 MEDIUM from ADP
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Problem Types: CWE-256 | CWE-256 CWE-256 Plaintext Storage of a Password
| Version | Source | Type | Score | Severity | Vector |
|---|---|---|---|---|---|
| 3.1 | ADP | DECLARED | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| 3.1 | 134c704f-9b21-4f2e-91b3-4a467353bcc0 | Secondary | 4.3 | MEDIUM | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
CVSS v3.1 Breakdown
Attack Vector
NetworkAttack Complexity
LowPrivileges Required
LowUser Interaction
NoneScope
UnchangedConfidentiality
LowIntegrity
NoneAvailability
NoneCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Jenkins Project | Jenkins FitNesse Plugin | affected 1.36 | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| www.jenkins.io/security/advisory/2026-06-24 | [email protected] | www.jenkins.io | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
No vendor comments have been submitted for this CVE.
There are currently no legacy QID mappings associated with this CVE.