3.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2232

GHSA ID

GHSA-5c4v-vh95-c67c

EPSS Score

0.14456%

CWE

CWE-319

Published

5/24/2022

Updated

12/14/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2232

CVE-2020-2232: Jenkins Email Extension Plugin SMTP password transmitted and displayed in plain text

Email Extension Plugin stores an SMTP password in its global configuration file hudson.plugins.emailext.ExtendedEmailPublisher.xml on the Jenkins controller as part of its configuration.

While this password is stored encrypted on disk, it is transmitted and displayed in plain text as part of the configuration form by Email Extension Plugin 2.72 and 2.73. This can result in exposure of the password.

Email Extension Plugin 2.74 transmits the SMTP password in its global configuration encrypted and masks it using a password field.

(GitHub Advisory)

3.7

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2232

GHSA ID

GHSA-5c4v-vh95-c67c

EPSS Score

0.14456%

CWE

CWE-319

Published

5/24/2022

Updated

12/14/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:email-ext	maven	>= 2.72, < 2.74	2.74

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from the UI rendering of the SMTP password field. The commit diff shows a change from f.textbox() to f.password() in the configuration form definition. In vulnerable versions (2.72-2.73), the textbox implementation caused cleartext transmission and display, matching CWE-319. The config.groovy file's smtpPassword entry is directly responsible for handling password input rendering, making this function the clear vulnerability source.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

*m*il *xt*nsion Plu*in stor*s *n SMTP p*sswor* in its *lo**l *on*i*ur*tion *il* `*u*son.plu*ins.*m*il*xt.*xt*n****m*ilPu*lis**r.xml` on t** J*nkins *ontroll*r *s p*rt o* its *on*i*ur*tion. W*il* t*is p*sswor* is stor** *n*rypt** on *isk, it is tr*ns

Reasoning

T** vuln*r**ility st*ms *rom t** UI r*n**rin* o* t** SMTP p*sswor* *i*l*. T** *ommit *i** s*ows * ***n** *rom `*.t*xt*ox()` to `*.p*sswor*()` in t** *on*i*ur*tion *orm ***inition. In vuln*r**l* v*rsions (*.**-*.**), t** t*xt*ox impl*m*nt*tion **us**

3.7

Basic Information

Concerned about an active attack path?

CVE-2020-2232: Jenkins Email Extension Plugin SMTP password transmitted and displayed in plain text

3.7

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI