GHSA-xqf6-5grh-6223

Опубликовано: 24 мая 2022

Источник: github

Github: Прошло ревью

CVSS3: 3.1

Описание

Passwords transmitted in plain text by Jenkins Artifactory Plugin

Jenkins Artifactory Plugin 3.6.0 and earlier stores Artifactory server passwords in its global configuration file org.jfrog.hudson.ArtifactoryBuilder.xml on the Jenkins controller as part of its configuration.

While the password is stored encrypted on disk since Artifactory Plugin 3.6.0, it is transmitted in plain text as part of the configuration form by Artifactory Plugin 3.6.0 and earlier. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Artifactory Plugin 3.6.1 transmits the password in its global configuration encrypted.

Ссылки

Пакеты

Наименование

org.jenkins-ci.plugins:artifactory

maven

Затронутые версииВерсия исправления

< 3.6.1

3.6.1

EPSS

Процентиль: 56%

0.00331

Низкий

3.1 Low

CVSS3

CVE ID

CVE-2020-2165

Дефекты

CWE-319

CWE-522

Связанные уязвимости

CVE-2020-2165

CVSS3: 7.5

nvd

почти 6 лет назад

Jenkins Artifactory Plugin 3.6.0 and earlier transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.

BDU:2020-02697

CVSS3: 7.5

fstec

почти 6 лет назад

Уязвимость компонента org.jfrog.hudson.ArtifactoryBuilder.xml плагина Jenkins Artifactory Plugin, позволяющая нарушителю получить учетные данные

EPSS

Процентиль: 56%

0.00331

Низкий

3.1 Low

CVSS3

CVE ID

CVE-2020-2165

Дефекты

CWE-319

CWE-522