Miggo Logo

CVE-2020-2130: Passwords stored in plain text by Harvest SCM Plugin

4.3

CVSS Score
3.1

Basic Information

EPSS Score
0.1451%
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:harvestmaven<= 0.5.1

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unencrypted password storage in XML configuration files. Jenkins plugins typically serialize configuration data using XStream, and the HarvestSCM class's password field would be directly serialized. The DescriptorImpl.configure() method would handle global configuration persistence. Both locations fail to use Jenkins' Secret class or equivalent encryption mechanisms before storage, violating credential protection best practices. The advisory explicitly identifies these two storage locations (global config and job config.xml), which map directly to these functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**rv*st S*M Plu*in *.*.* *n* **rli*r stor*s S*M p*sswor*s un*n*rypt** in its *lo**l *on*i*ur*tion *il* `*u*son.plu*ins.**rv*st.**rv*stS*M.xml *n* in jo* *on*i*.xml` *il*s on t** J*nkins *ontroll*r. T**s* *r***nti*ls **n ** vi*w** *y us*rs wit* *xt*n*

Reasoning

T** vuln*r**ility st*ms *rom un*n*rypt** p*sswor* stor*** in XML *on*i*ur*tion *il*s. J*nkins plu*ins typi**lly s*ri*liz* *on*i*ur*tion **t* usin* XStr**m, *n* t** `**rv*stS*M` *l*ss's p*sswor* *i*l* woul* ** *ir**tly s*ri*liz**. T** `**s*riptorImpl.