SB2020032618 - Cleartext transmission of sensitive information in Jenkins Artifactory plugin
Published: March 26, 2020
Security Bulletin ID
SB2020032618
CSH Severity
Low
Patch available
YES
Number of vulnerabilities
1
Exploitation vector
Remote access
Highest impact
Information disclosure
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Cleartext transmission of sensitive information (CVE-ID: CVE-2020-2165)
CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information
CVSSv4: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a remote attacker to gain access to sensitive information.The vulnerability exists due to the affected software stores Artifactory server passwords in its global configuration file "org.jfrog.hudson.ArtifactoryBuilder.xml" on the Jenkins master as part of its configuration. A remote attacker with ability to intercept network traffic can gain access to sensitive data.
Remediation
Install update from vendor's website.