6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2318

GHSA ID

GHSA-485q-v457-3p58

EPSS Score

0.1451%

CWE

CWE-256

Published

5/24/2022

Updated

1/31/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2020-2318

CVE-2020-2318: Passwords stored in plain text by Mail Commander Plugin for Jenkins-ci Plugin

Jenkins Mail Commander Plugin for Jenkins-ci Plugin 1.0.0 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

(GitHub Advisory)

6.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2020-2318

GHSA ID

GHSA-485q-v457-3p58

EPSS Score

0.1451%

CWE

CWE-256

Published

5/24/2022

Updated

1/31/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:mailcommander	maven	<= 1.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability explicitly describes plaintext password storage in job config.xml files. Jenkins plugins typically serialize job configuration data using XStream, which writes field values directly unless explicitly protected. The absence of encryption implies the password field was declared as a String (not Secret) and lacked @Secret annotations or proper handling. While the exact class/method names are unavailable without source code, the root cause lies in the serialization logic of password fields in configuration classes, a common pattern in Jenkins plugins. This matches CWE-256 (plaintext storage) and CWE-522 (insufficient credential protection).

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins M*il *omm*n**r Plu*in *or J*nkins-*i Plu*in *.*.* *n* **rli*r stor*s p*sswor*s un*n*rypt** in jo* *on*i*.xml *il*s on t** J*nkins *ontroll*r w**r* t**y **n ** vi*w** *y us*rs wit* *xt*n*** R*** p*rmission, or ****ss to t** J*nkins *ontroll*r

Reasoning

T** vuln*r**ility *xpli*itly **s*ri**s pl*int*xt p*sswor* stor*** in jo* `*on*i*.xml` *il*s. J*nkins plu*ins typi**lly s*ri*liz* jo* *on*i*ur*tion **t* usin* XStr**m, w*i** writ*s *i*l* v*lu*s *ir**tly unl*ss *xpli*itly prot**t**. T** **s*n** o* *n*r

6.5

Basic Information

Concerned about an active attack path?

CVE-2020-2318: Passwords stored in plain text by Mail Commander Plugin for Jenkins-ci Plugin

6.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI