Cleartext transmission of sensitive information in Artifactory - CVE-2020-2165

 

Cleartext transmission of sensitive information in Artifactory - CVE-2020-2165

Published: March 26, 2020


Vulnerability identifier: #VU26395
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-2165
CWE-ID: CWE-319
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Jenkins
Affected software:
Artifactory

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the affected software stores Artifactory server passwords in its global configuration file "org.jfrog.hudson.ArtifactoryBuilder.xml" on the Jenkins master as part of its configuration. A remote attacker with ability to intercept network traffic can gain access to sensitive data.


How to mitigate CVE-2020-2165

Install updates from vendor's website.

Sources