Jenkins Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password unencrypted in its global configuration file on the…
jenkins·CWE-522·Published 2020-03-25
Jenkins Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
Jenkins Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password in plain text in the global configuration file `org.jfrog.hudson.ArtifactoryBuilder.xml`. This password can be viewed by users with access to the Jenkins controller file system. Artifactory Plugin 3.6.0 now stores the Artifactory server password encrypted. This change is effective once the global configuration is saved the next time.
Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password in plain text in the global configuration file `org.jfrog.hudson.ArtifactoryBuilder.xml`. This password can be viewed by users with access to the Jenkins controller file system. Artifactory Plugin 3.6.0 now stores the Artifactory server password encrypted. This change is effective once the global configuration is saved the next time.
Jenkins Artifactory Plugin versiones 3.5.0 y anteriores, almacenan su contraseña no cifrada en el servidor de Artifactory en su archivo de configuración global en el maestro Jenkins, donde puede ser visualizado por usuarios con acceso al sistema de archivos maestro.
| Version | Type | Source | Base | Exp | Impact | Vector |
|---|---|---|---|---|---|---|
| 2.0 | Primary | NVD | 4.0 | 8.0 | 2.9 | AV:N/AC:L/Au:S/C:P/I:N/A:N |
| 3.1 | Primary | NVD | 6.5 | 2.8 | 3.6 | CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| 3.1 | Secondary | GHSA | 3.3 | — | — | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |