Main Vulnerability Database Vulnerabilities #VU26394

Cleartext storage of sensitive information in Artifactory - CVE-2020-2164

Published: March 26, 2020

Vulnerability identifier: #VU26394

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2020-2164

CWE-ID: CWE-312

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Jenkins

Affected software:
Artifactory

Detailed vulnerability description

The vulnerability allows a local user to view the password on the target system.

The vulnerability exists due to the affected software stores its Artifactory server password in plain text in the global configuration file "org.jfrog.hudson.ArtifactoryBuilder.xml". A local user with access to the Jenkins master file system can obtain credentials.

How to mitigate CVE-2020-2164

Install updates from vendor's website.

Sources

http://www.openwall.com/lists/oss-security/2020/03/25/2
https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1542%20(1)

Cleartext storage of sensitive information in Artifactory - CVE-2020-2164

Detailed vulnerability description

How to mitigate CVE-2020-2164

Sources

Please verify you're human