CVE-2020-2125: Credentials stored in plain text by debian-package-builder Plugin
3.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.07093%
CWE
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
ru.yandex.jenkins.plugins.debuilder:debian-package-builder | maven | <= 1.6.11 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from unencrypted storage of credentials in Jenkins' XML configuration files. In Jenkins plugin architecture:
- Credential fields are typically managed through setter methods that bind UI input to configuration objects
- XML serialization is handled by XStream or similar frameworks
- The explicit lack of encryption indicates missing credential masking or secure storage mechanisms
Though no patch is available, the pattern matches Jenkins' configuration handling:
- The setGpgPassphrase() would receive the plaintext value from configuration forms
- getConfigXml() would handle persistence logic Both would fail to invoke Jenkins' credential encryption APIs like Secret.toString() or PasswordEncrypter