CVE-2020-2165

Name of the Vulnerable Software and Affected Versions Jenkins Artifactory Plugin versions 3.6.0 and earlier

Description The issue is related to the transmission of configured passwords in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure. This can lead to the exposure of passwords through browser extensions, cross-site scripting vulnerabilities, and similar situations. The password is stored encrypted on disk since Artifactory Plugin 3.6.0, but it is transmitted in plain text by versions 3.6.0 and earlier.

Recommendations For Jenkins Artifactory Plugin versions 3.6.0 and earlier, update to version 3.6.1 or later, which transmits the password in its global configuration encrypted. As a temporary workaround, consider restricting access to the global configuration form to minimize the risk of exploitation. Avoid using the org.jfrog.hudson.ArtifactoryBuilder.xml configuration file until the issue is resolved.