Main Vulnerability Database Vulnerabilities #VU26395

#VU26395 Cleartext transmission of sensitive information in Artifactory - CVE-2020-2165

Published: March 26, 2020

Vulnerability identifier: #VU26395

Vulnerability risk: Low

CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2020-2165

CWE-ID: CWE-319

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vulnerable software:
Artifactory

Software vendor:
Jenkins

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the affected software stores Artifactory server passwords in its global configuration file "org.jfrog.hudson.ArtifactoryBuilder.xml" on the Jenkins master as part of its configuration. A remote attacker with ability to intercept network traffic can gain access to sensitive data.

Remediation

Install updates from vendor's website.

External links

http://www.openwall.com/lists/oss-security/2020/03/25/2
https://jenkins.io/security/advisory/2020-03-25/#SECURITY-1542%20(2)

#VU26395 Cleartext transmission of sensitive information in Artifactory - CVE-2020-2165

Description

Remediation

External links

Please verify you're human