CVE-2020-2164Insufficiently Protected Credentials in Project Jenkins Artifactory Plugin

CWE-522Insufficiently Protected CredentialsCWE-312Cleartext Storage of Sensitive Info5 documents5 sources
Severity
6.5MEDIUMNVD
EPSS
0.3%
top 50.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Artifactory PluginJfrog Artifactory
Timeline
PublishedMar 25
Latest updateMay 24

Description

Jenkins Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

CVEListV5jenkins_project/jenkins_artifactory_pluginunspecified3.5.0

🔴Vulnerability Details

3
GHSA
Passwords stored in plain text by Jenkins Artifactory Plugin2022-05-24
OSV
Passwords stored in plain text by Jenkins Artifactory Plugin2022-05-24
CVEList
CVE-2020-2164: Jenkins Artifactory Plugin 32020-03-25

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2020-03-252020-03-25
CVE-2020-2164 — Insufficiently Protected Credentials | cvebase