Miggo Logo
Miggo Vulnerability Database
CVE-2020-2128

CVE-2020-2128:
Password stored in plain text by ECX Copy Data Management Plugin

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2128
GHSA ID
GHSA-6793-gmp9-2535
EPSS Score
0.07093%
CWE
CWE-256
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.catalogic.ecxjenkins:catalogic-ecxmaven<= 1.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unencrypted password storage in config.xml files. Jenkins plugin credentials are typically handled via: 1) Data-bound fields in builders (like ECXBuilder) that serialize to job configs, and 2) DescriptorImpl classes managing global configuration. The advisory explicitly states the password is stored in plain text in job config.xml, indicating the functions responsible for persisting the password field (likely servicePassword setters/constructors and configuration serialization logic) lack encryption. While no code is available, Jenkins plugin design patterns and the CWE-256/522 mapping strongly suggest these are the vulnerable components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins **X *opy **t* M*n***m*nt Plu*in *.* *n* **rli*r stor*s * p*sswor* un*n*rypt** in jo* *on*i*.xml *il*s on t** J*nkins m*st*r w**r* it **n ** vi*w** *y us*rs wit* *xt*n*** R*** p*rmission, or ****ss to t** m*st*r *il* syst*m.

Reasoning

T** vuln*r**ility st*ms *rom un*n*rypt** p*sswor* stor*** in *on*i*.xml *il*s. J*nkins plu*in *r***nti*ls *r* typi**lly **n*l** vi*: *) **t*-*oun* *i*l*s in *uil**rs (lik* **X*uil**r) t**t s*ri*liz* to jo* *on*i*s, *n* *) **s*riptorImpl *l*ss*s m*n**