CVE-2020-2164 — Passwords stored in plain text by Jenkins Artifactory Plugin

Description

Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password in plain text in the global configuration file `org.jfrog.hudson.ArtifactoryBuilder.xml`. This password can be viewed by users with access to the Jenkins controller file system. Artifactory Plugin 3.6.0 now stores the Artifactory server password encrypted. This change is effective once the global configuration is saved the next time.

How to fix CVE-2020-2164

To remediate CVE-2020-2164, upgrade the affected package to a fixed version below.

—upgrade to 3.5.1 or later
—upgrade to 3.6.0 or later

Is CVE-2020-2164 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 3.5.1
from 0, < 3.6.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.3	CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2020-2164
PATCHgithub.com/jenkinsci/artifactory-plugin
WEBjenkins.io/security/advisory/2020-03-25/#SECURITY-1542%20(1)
WEBjenkins.io/security/advisory/2020-03-25/#SECURITY-1542%20%281%29