Miggo Logo

CVE-2020-2239: Secret stored in plain text by Jenkins Parameterized Remote Trigger Plugin

3.3

CVSS Score
3.1

Basic Information

EPSS Score
0.14665%
Published
5/24/2022
Updated
12/7/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:Parameterized-Remote-Triggermaven<= 3.1.33.1.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from handling authentication tokens as plain text strings instead of encrypted Secret objects. The commit diff shows critical changes: 1) TokenAuth's apiToken field changed from String to Secret type 2) getApiToken()/setApiToken() modified to handle Secrets 3) Auth.a2uth2ToAuth() stopped using getApiToken().getPlainText(). These functions directly handled credential storage/retrieval without encryption in vulnerable versions, matching CWE-256/311 descriptions of plaintext storage.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

P*r*m*t*riz** R*mot* Tri***r Plu*in *.*.* *n* **rli*r stor*s * s**r*t un*n*rypt** in its *lo**l *on*i*ur*tion *il* `or*.j*nkins*i.plu*ins.P*r*m*t*riz**R*mot*Tri***r.R*mot**uil**on*i*ur*tion.xml` on t** J*nkins *ontroll*r *s p*rt o* its *on*i*ur*tion.

Reasoning

T** vuln*r**ility st*ms *rom **n*lin* *ut**nti**tion tok*ns *s pl*in t*xt strin*s inst*** o* *n*rypt** S**r*t o*j**ts. T** *ommit *i** s*ows *riti**l ***n**s: *) `Tok*n*ut*`'s `*piTok*n` *i*l* ***n*** *rom `Strin*` to `S**r*t` typ* *) `**t*piTok*n()`