CVE-2020-2165

Jenkins Artifactory Plugin 3.6.0 and earlier transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.

Jenkins Artifactory Plugin 3.6.0 and earlier transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.

Jenkins Artifactory Plugin 3.6.0 and earlier stores Artifactory server passwords in its global configuration file `org.jfrog.hudson.ArtifactoryBuilder.xml` on the Jenkins controller as part of its configuration. While the password is stored encrypted on disk since Artifactory Plugin 3.6.0, it is transmitted in plain text as part of the configuration form by Artifactory Plugin 3.6.0 and earlier. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations. Artifactory Plugin 3.6.1 transmits the password in its global configuration encrypted.

Jenkins Artifactory Plugin 3.6.0 and earlier stores Artifactory server passwords in its global configuration file `org.jfrog.hudson.ArtifactoryBuilder.xml` on the Jenkins controller as part of its configuration. While the password is stored encrypted on disk since Artifactory Plugin 3.6.0, it is transmitted in plain text as part of the configuration form by Artifactory Plugin 3.6.0 and earlier. This can result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations. Artifactory Plugin 3.6.1 transmits the password in its global configuration encrypted.

Jenkins Artifactory Plugin versiones 3.6.0 y anteriores, transmiten contraseñas configuradas en texto plano como parte de su formulario de configuración global de Jenkins, resultando potencialmente en su exposición.