3.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2119

GHSA ID

GHSA-vvg2-hg3c-mqj3

EPSS Score

0.10408%

CWE

CWE-256

Published

5/24/2022

Updated

10/26/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2119

CVE-2020-2119: Client secret transmitted in plain text by Azure AD Plugin

Azure AD Plugin stores a client secret in its global configuration.

While the credential is stored encrypted on disk, it is transmitted in plain text as part of the configuration form by Azure AD Plugin 1.1.2 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Azure AD Plugin 1.2.0 transmits the client secret in its global configuration encrypted.

(GitHub Advisory)

3.1

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2119

GHSA ID

GHSA-vvg2-hg3c-mqj3

EPSS Score

0.10408%

CWE

CWE-256

Published

5/24/2022

Updated

10/26/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:azure-ad	maven	< 1.2.0	1.2.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the client secret being transmitted in plaintext during configuration form submissions. Jenkins plugins typically handle global configuration via a Descriptor/GlobalConfiguration class. The configure method in such classes processes form data. In pre-1.2.0 versions, the client secret would have been read directly from unencrypted request parameters (e.g., request.getParameter('clientSecret')) before being encrypted for disk storage. The patched version (1.2.0) likely introduced encryption before transmission, which implies the original function lacked this protection. The configure method is the logical point where plaintext transmission would occur, aligning with the CWE-256/CWE-522 descriptions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*zur* ** Plu*in stor*s * *li*nt s**r*t in its *lo**l *on*i*ur*tion. W*il* t** *r***nti*l is stor** *n*rypt** on *isk, it is tr*nsmitt** in pl*in t*xt *s p*rt o* t** *on*i*ur*tion *orm *y *zur* ** Plu*in *.*.* *n* **rli*r. T*is **n r*sult in *xposur*

Reasoning

T** vuln*r**ility st*ms *rom t** *li*nt s**r*t **in* tr*nsmitt** in pl*int*xt *urin* *on*i*ur*tion *orm su*missions. J*nkins plu*ins typi**lly **n*l* *lo**l *on*i*ur*tion vi* * `**s*riptor`/`*lo**l*on*i*ur*tion` *l*ss. T** `*on*i*ur*` m*t*o* in su**

3.1

Basic Information

Concerned about an active attack path?

CVE-2020-2119: Client secret transmitted in plain text by Azure AD Plugin

3.1

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI