Miggo Logo
Miggo Vulnerability Database
CVE-2020-2319

CVE-2020-2319:
Password stored in plain text by Jenkins VMware Lab Manager Slaves Plugin

3.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2020-2319
GHSA ID
GHSA-cg4h-cfjp-h3x2
EPSS Score
0.1451%
CWE
CWE-256
Published
5/24/2022
Updated
1/31/2023
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:labmanagermaven<= 0.2.8

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stems from unencrypted password storage in Jenkins' global config.xml. Jenkins plugins typically serialize configuration data through getter methods in their configuration classes. The presence of a plaintext password in config.xml indicates the password field was not properly encrypted before serialization. The getPassword() method in the plugin's configuration class would be directly responsible for exposing the plaintext value to the serialization process. This pattern matches Jenkins plugin development conventions where sensitive fields require explicit encryption handling using Secret class mechanisms, which appears absent here.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins VMw*r* L** M*n***r Sl*v*s Plu*in *.*.* *n* **rli*r stor*s * p*sswor* un*n*rypt** in t** *lo**l `*on*i*.xml` *il* on t** J*nkins *ontroll*r, w**r* it **n ** vi*w** *y us*rs wit* ****ss to t** J*nkins *ontroll*r *il* syst*m.

Reasoning

T** vuln*r**ility st*ms *rom un*n*rypt** p*sswor* stor*** in J*nkins' *lo**l `*on*i*.xml`. J*nkins plu*ins typi**lly s*ri*liz* *on*i*ur*tion **t* t*rou** **tt*r m*t*o*s in t**ir *on*i*ur*tion *l*ss*s. T** pr*s*n** o* * pl*int*xt p*sswor* in `*on*i*.x