Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS14cWY2LTVncmgtNjIyM84AAkDL

Passwords transmitted in plain text by Jenkins Artifactory Plugin

Jenkins Artifactory Plugin 3.6.0 and earlier stores Artifactory server passwords in its global configuration file org.jfrog.hudson.ArtifactoryBuilder.xml on the Jenkins controller as part of its configuration.

While the password is stored encrypted on disk since Artifactory Plugin 3.6.0, it is transmitted in plain text as part of the configuration form by Artifactory Plugin 3.6.0 and earlier. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Artifactory Plugin 3.6.1 transmits the password in its global configuration encrypted.

Permalink: https://github.com/advisories/GHSA-xqf6-5grh-6223
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS14cWY2LTVncmgtNjIyM84AAkDL
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 2 years ago
Updated: about 1 year ago


CVSS Score: 3.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

EPSS Percentage: 0.00178
EPSS Percentile: 0.55515

Identifiers: GHSA-xqf6-5grh-6223, CVE-2020-2165
References: Blast Radius: 1.0

Affected Packages

maven:org.jenkins-ci.plugins:artifactory
Affected Version Ranges: < 3.6.1
Fixed in: 3.6.1