3.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2314

CVE-2020-2314: Password stored in plain text by Jenkins AppSpider Plugin

AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file com.rapid7.jenkinspider.PostBuildScan.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

AppSpider Plugin 1.0.13 stores a password encrypted once its configuration is saved again.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2020-2314

CVE-2020-2314:

3.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.rapid7:jenkinsci-appspider-plugin	maven	< 1.0.13	1.0.13

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper credential handling in the plugin's configuration persistence layer. The advisory explicitly identifies the global configuration file 'com.rapid7.jenkinspider.PostBuildScan.xml' as storing credentials in plaintext. In Jenkins plugin architecture:

The 'configure' method typically handles form data binding and configuration persistence
Getter methods like 'getPassword' are used during XML serialization
The fixed version 1.0.13 added encryption-on-save behavior, indicating the original implementation lacked proper credential encryption during these operations. The class name and file path are inferred from the vulnerable configuration filename following Java package naming conventions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

3.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2020-2314: Password stored in plain text by Jenkins AppSpider Plugin

CVE-2020-2314:

3.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Technical Details

3.3

3.3

Basic Information

Basic Information

CVE-2020-2314: Password stored in plain text by Jenkins AppSpider Plugin

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI