3.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2020-2218

GHSA ID

GHSA-fc3j-cfqv-pfrm

EPSS Score

0.14162%

CWE

CWE-256

Published

5/24/2022

Updated

10/26/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2218

CVE-2020-2218: Password stored in plain text by Jenkins HP ALM Quality Center Plugin

HP ALM Quality Center Plugin 1.6 and earlier stores a password in plain text in its global configuration file org.jenkinsci.plugins.qc.QualityCenterIntegrationRecorder.xml. This password can be viewed by users with access to the Jenkins controller file system.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2020-2218

CVE-2020-2218:

3.3

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2020-2218

GHSA ID

GHSA-fc3j-cfqv-pfrm

EPSS Score

0.14162%

CWE

CWE-256

Published

5/24/2022

Updated

10/26/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:hp-quality-center	maven	<= 1.6

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper credential handling in the plugin's configuration persistence layer. Jenkins plugins typically use Secret-based mechanisms for credentials, but the HP ALM Quality Center Plugin <=1.6:

Implements configure() without encrypting the password field
Fails to use Jenkins' Secret class for password storage
Directly serializes sensitive data to disk via XStream This matches CWE-256 (plaintext storage) and CWE-522 (insufficient protection). The QualityCenterIntegrationRecorder class is explicitly named in the advisory's configuration file path, and password field handling in Jenkins plugins follows predictable patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2020-2218: Password stored in plain text by Jenkins HP ALM Quality Center Plugin

CVE-2020-2218:

3.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

3.3

3.3

Technical Details

Basic Information

Basic Information

CVE-2020-2218: Password stored in plain text by Jenkins HP ALM Quality Center Plugin

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI