Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS14cWY2LTVncmgtNjIyM84AAkDL
Passwords transmitted in plain text by Jenkins Artifactory Plugin
Jenkins Artifactory Plugin 3.6.0 and earlier stores Artifactory server passwords in its global configuration file org.jfrog.hudson.ArtifactoryBuilder.xml
on the Jenkins controller as part of its configuration.
While the password is stored encrypted on disk since Artifactory Plugin 3.6.0, it is transmitted in plain text as part of the configuration form by Artifactory Plugin 3.6.0 and earlier. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.
Artifactory Plugin 3.6.1 transmits the password in its global configuration encrypted.
Permalink: https://github.com/advisories/GHSA-xqf6-5grh-6223JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14cWY2LTVncmgtNjIyM84AAkDL
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 2 years ago
Updated: about 1 year ago
CVSS Score: 3.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
EPSS Percentage: 0.00178
EPSS Percentile: 0.55515
Identifiers: GHSA-xqf6-5grh-6223, CVE-2020-2165
References:
- https://nvd.nist.gov/vuln/detail/CVE-2020-2165
- https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1542%20(2)
- http://www.openwall.com/lists/oss-security/2020/03/25/2
- https://github.com/advisories/GHSA-xqf6-5grh-6223
Affected Packages
maven:org.jenkins-ci.plugins:artifactory
Affected Version Ranges: < 3.6.1Fixed in: 3.6.1