Miggo Logo
Miggo Vulnerability Database
CVE-2020-2250

CVE-2020-2250: Passwords stored in plain text by Jenkins ReadyAPI Functional Testing Plugin

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2250
GHSA ID
GHSA-ccwp-633j-g29v
EPSS Score
0.3819%
CWE
CWE-256
Published
5/24/2022
Updated
10/26/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:soapui-pro-functional-testingmaven<= 1.31.4

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from improper handling of sensitive data in configuration persistence. Jenkins plugins typically use XStream serialization and the Secret class for credentials. The functions responsible for (1) configuring plugin settings (ProPluginImpl#configure) and (2) exposing password values (ProBuilder#getPassword) would directly control how passwords are stored. The CWE-256/CWE-311 alignment confirms plaintext storage patterns, and the fix in v1.4 implies encryption was added to these configuration pathways.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

R***y*PI *un*tion*l T*stin* Plu*in *.* *n* **rli*r stor*s proj**t p*sswor*s un*n*rypt** in jo* `*on*i*.xml` *il*s *s p*rt o* its *on*i*ur*tion. T**s* proj**t p*sswor*s **n ** vi*w** *y *tt**k*rs wit* *xt*n*** R*** p*rmission or ****ss to t** J*nkins

Reasoning

T** vuln*r**ility st*ms *rom improp*r **n*lin* o* s*nsitiv* **t* in `*on*i*ur*tion` p*rsist*n**. J*nkins plu*ins typi**lly us* `XStr**m` s*ri*liz*tion *n* t** `S**r*t` *l*ss *or *r***nti*ls. T** `*un*tions` r*sponsi*l* *or (*) *on*i*urin* plu*in s*tt