CVE-2020-2165 – org.jenkins-ci.plugins:artifactory

Package

Manager: maven
Name: org.jenkins-ci.plugins:artifactory
Vulnerable Version: >=0 <3.6.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0028 pctl0.50952

Details

Passwords transmitted in plain text by Jenkins Artifactory Plugin Jenkins Artifactory Plugin 3.6.0 and earlier stores Artifactory server passwords in its global configuration file `org.jfrog.hudson.ArtifactoryBuilder.xml` on the Jenkins controller as part of its configuration. While the password is stored encrypted on disk since Artifactory Plugin 3.6.0, it is transmitted in plain text as part of the configuration form by Artifactory Plugin 3.6.0 and earlier. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations. Artifactory Plugin 3.6.1 transmits the password in its global configuration encrypted.

Metadata

Created: 2022-05-24T17:12:40Z
Modified: 2022-12-22T13:56:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-xqf6-5grh-6223/GHSA-xqf6-5grh-6223.json
CWE IDs: ["CWE-319", "CWE-522"]
Alternative ID: GHSA-xqf6-5grh-6223
Finding: F332
Auto approve: 1