CVE-2026-57302
MediumCVSS 4.3Exploitation Probability (EPSS)
Low risk8th percentile — higher than 8% of all known CVEs
Summary
Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.
Risk Assessment
The risk involves potential exposure of passwords stored in job configurations, which could lead to unauthorized access to external systems or privilege escalation within the Jenkins environment.
Recommendation
It is recommended to immediately update the FitNesse plugin to the latest available version and change all passwords that may have been stored in config.xml files. Also restrict Extended Read permissions and access to the controller file system.
Original NVD description (English source)
Jenkins FitNesse Plugin 1.36 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller, where they can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

