Miggo Logo

CVE-2020-2218: Password stored in plain text by Jenkins HP ALM Quality Center Plugin

3.3

CVSS Score
3.1

Basic Information

EPSS Score
0.14162%
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:hp-quality-centermaven<= 1.6

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper credential handling in the plugin's configuration persistence layer. Jenkins plugins typically use Secret-based mechanisms for credentials, but the HP ALM Quality Center Plugin <=1.6:

  1. Implements configure() without encrypting the password field
  2. Fails to use Jenkins' Secret class for password storage
  3. Directly serializes sensitive data to disk via XStream This matches CWE-256 (plaintext storage) and CWE-522 (insufficient protection). The QualityCenterIntegrationRecorder class is explicitly named in the advisory's configuration file path, and password field handling in Jenkins plugins follows predictable patterns.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*P *LM Qu*lity **nt*r Plu*in *.* *n* **rli*r stor*s * p*sswor* in pl*in t*xt in its *lo**l *on*i*ur*tion *il* `or*.j*nkins*i.plu*ins.q*.Qu*lity**nt*rInt**r*tionR**or**r.xml`. T*is p*sswor* **n ** vi*w** *y us*rs wit* ****ss to t** J*nkins *ontroll*r

Reasoning

T** vuln*r**ility st*ms *rom improp*r *r***nti*l **n*lin* in t** plu*in's *on*i*ur*tion p*rsist*n** l*y*r. J*nkins plu*ins typi**lly us* S**r*t-**s** m****nisms *or *r***nti*ls, *ut t** *P *LM Qu*lity **nt*r Plu*in <=*.*: *. Impl*m*nts *on*i*ur*() w