Miggo Logo
Miggo Vulnerability Database
CVE-2020-2129

CVE-2020-2129:
Plaintext Storage of a Password in Jenkins Eagle Tester Plugin

6.5

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2129
GHSA ID
GHSA-vj6f-q4w6-qx9p
EPSS Score
0.1451%
CWE
CWE-256
Published
5/24/2022
Updated
1/27/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.mobileenerlytics.eagle.tester:eagle-testermaven<= 1.0.9

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unencrypted password storage in the global configuration file. Jenkins plugins typically use a configure() method in their Descriptor/configuration classes to persist settings. The advisory explicitly references the RPDPluginConfiguration.xml file path, indicating the RPDPluginConfiguration class is responsible for credential storage. Since no encryption is applied during configuration serialization (as confirmed by the plaintext storage description), the method handling configuration persistence (likely configure() or related XML serialization) is the root cause.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins ***l* T*st*r Plu*in *.*.* *n* **rli*r stor*s * p*sswor* un*n*rypt** in its *lo**l *on*i*ur*tion *il* on t** J*nkins m*st*r w**r* it **n ** vi*w** *y us*rs wit* ****ss to t** m*st*r *il* syst*m.

Reasoning

T** vuln*r**ility st*ms *rom un*n*rypt** p*sswor* stor*** in t** *lo**l `*on*i*ur*tion` *il*. J*nkins plu*ins typi**lly us* * `*on*i*ur*()` m*t*o* in t**ir `**s*riptor/*on*i*ur*tion` *l*ss*s to p*rsist s*ttin*s. T** **visory *xpli*itly r***r*n**s t**