CVE-2020-2165
Passwords transmitted in plain text by Jenkins Artifactory Plugin
Description
Jenkins Artifactory Plugin 3.6.0 and earlier stores Artifactory server passwords in its global configuration file `org.jfrog.hudson.ArtifactoryBuilder.xml` on the Jenkins controller as part of its configuration. While the password is stored encrypted on disk since Artifactory Plugin 3.6.0, it is transmitted in plain text as part of the configuration form by Artifactory Plugin 3.6.0 and earlier. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations. Artifactory Plugin 3.6.1 transmits the password in its global configuration encrypted.
How to fix CVE-2020-2165
To remediate CVE-2020-2165, upgrade the affected package to a fixed version below.
- —upgrade to 3.6.1 or later
- —upgrade to 3.6.1 or later
Is CVE-2020-2165 being exploited?
Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.
Affected packages (2)
- from 0, < 3.6.1
- from 0, < 3.6.1
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.1 | CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N |