Miggo Logo

CVE-2020-2125: Credentials stored in plain text by debian-package-builder Plugin

3.3

CVSS Score
3.1

Basic Information

EPSS Score
0.07093%
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
ru.yandex.jenkins.plugins.debuilder:debian-package-buildermaven<= 1.6.11

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unencrypted storage of credentials in Jenkins' XML configuration files. In Jenkins plugin architecture:

  1. Credential fields are typically managed through setter methods that bind UI input to configuration objects
  2. XML serialization is handled by XStream or similar frameworks
  3. The explicit lack of encryption indicates missing credential masking or secure storage mechanisms

Though no patch is available, the pattern matches Jenkins' configuration handling:

  • The setGpgPassphrase() would receive the plaintext value from configuration forms
  • getConfigXml() would handle persistence logic Both would fail to invoke Jenkins' credential encryption APIs like Secret.toString() or PasswordEncrypter

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

***i*n-p**k***-*uil**r Plu*in *.*.** *n* **rli*r stor*s * *P* p*ssp*r*s* un*n*rypt** in its *lo**l *on*i*ur*tion *il* `ru.y*n**x.j*nkins.plu*ins.***uil**r.***i*nP**k****uil**r.xml` on t** J*nkins *ontroll*r. T*is *r***nti*l **n ** vi*w** *y us*rs wit

Reasoning

T** vuln*r**ility st*ms *rom un*n*rypt** stor*** o* *r***nti*ls in J*nkins' XML *on*i*ur*tion *il*s. In J*nkins plu*in *r**it**tur*: *. *r***nti*l *i*l*s *r* typi**lly m*n**** t*rou** s*tt*r m*t*o*s t**t *in* UI input to *on*i*ur*tion o*j**ts *. XML