CVE-2020-2145:
Credentials stored in plain text by Zephyr Enterprise Test Management Plugin
3.3
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.01037%
CWE
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
---|---|---|---|
org.jenkins-ci.plugins:zephyr-enterprise-test-management | maven | < 1.10 | 1.10 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability stems from plaintext password storage in ZeeReporter.xml. Jenkins plugins typically:
- Use getters/setters for configuration fields (getPassword)
- Use Descriptor classes for global config persistence (ZeeReporterDescriptor)
While no patch code is available, the advisory explicitly identifies:
- The vulnerable file (ZeeReporter.xml)
- The mitigation path (Credentials Plugin integration)
These functions would appear in runtime profiling when:
- Configuring the plugin (password setter/getter calls)
- Saving global configuration (descriptor persistence)
High confidence in getPassword() as it directly exposes the sensitive value. Medium confidence in descriptor save mechanism as it's pattern-based inference.