CVE-2020-2318: Passwords stored in plain text by Mail Commander Plugin for Jenkins-ci Plugin
6.5
CVSS Score
3.1
Basic Information
CVE ID
GHSA ID
EPSS Score
0.1451%
CWE
Published
5/24/2022
Updated
1/31/2023
KEV Status
No
Technology
Java
Technical Details
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| org.jenkins-ci.plugins:mailcommander | maven | <= 1.0.0 |
Vulnerability Intelligence
Miggo AI
Root Cause Analysis
The vulnerability explicitly describes plaintext password storage in job config.xml files. Jenkins plugins typically serialize job configuration data using XStream, which writes field values directly unless explicitly protected. The absence of encryption implies the password field was declared as a String (not Secret) and lacked @Secret annotations or proper handling. While the exact class/method names are unavailable without source code, the root cause lies in the serialization logic of password fields in configuration classes, a common pattern in Jenkins plugins. This matches CWE-256 (plaintext storage) and CWE-522 (insufficient credential protection).