Cleartext transmission of sensitive information in Artifactory - CVE-2020-2165
Published: March 26, 2020
Vulnerability identifier: #VU26395
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2020-2165
CWE-ID: CWE-319
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Jenkins
Affected software:
Artifactory
Artifactory
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to sensitive information.The vulnerability exists due to the affected software stores Artifactory server passwords in its global configuration file "org.jfrog.hudson.ArtifactoryBuilder.xml" on the Jenkins master as part of its configuration. A remote attacker with ability to intercept network traffic can gain access to sensitive data.
How to mitigate CVE-2020-2165
Install updates from vendor's website.