Miggo Logo
Miggo Vulnerability Database
CVE-2020-2132

CVE-2020-2132:
Password stored in plain text by Parasoft Environment Manager Plugin

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2132
GHSA ID
GHSA-gmg2-3w6v-945p
EPSS Score
0.1451%
CWE
CWE-256
Published
5/24/2022
Updated
12/13/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
com.parasoft:environment-managermaven< 2.152.15

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from two key elements: 1) The password field was declared as a String type rather than Jenkins' secure Secret type, allowing plaintext storage. 2) The getRepoPassword() method exposed the plaintext value directly. The commit diff shows both the field type change (String→Secret) and the getter modification to use Secret.getPlainText(), confirming these were the vulnerable points. The CWE-256 classification (plaintext storage) directly maps to these implementation choices.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins P*r*so*t *nvironm*nt M*n***r Plu*in *.** *n* **rli*r stor*s * p*sswor* un*n*rypt** in jo* *on*i*.xml *il*s on t** J*nkins m*st*r w**r* it **n ** vi*w** *y us*rs wit* *xt*n*** R*** p*rmission, or ****ss to t** m*st*r *il* syst*m.

Reasoning

T** vuln*r**ility st*ms *rom two k*y *l*m*nts: *) T** p*sswor* *i*l* w*s ***l*r** *s * `Strin*` typ* r*t**r t**n J*nkins' s**ur* `S**r*t` typ*, *llowin* pl*int*xt stor***. *) T** `**tR*poP*sswor*()` m*t*o* *xpos** t** pl*int*xt v*lu* *ir**tly. T** *o