CVE-2020-2107
Description
Jenkins Fortify Plugin stores proxy passwords in plaintext in job config.xml files, exposing them to users with Extended Read or file system access.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Fortify Plugin stores proxy passwords in plaintext in job config.xml files, exposing them to users with Extended Read or file system access.
Vulnerability
The Jenkins Fortify Plugin versions 19.1.29 and earlier stores proxy server passwords in plaintext in job config.xml files on the Jenkins master [1]. This is a classic case of cleartext storage of sensitive information, violating best practices for credential management.
Exploitation
An attacker with Extended Read permission or access to the Jenkins master file system can read these config.xml files and extract the proxy password [2]. The attack requires no special privileges beyond those granted to users who can view job configurations or access the file system.
Impact
Successful exploitation allows an attacker to obtain the proxy server password, which can then be used to access external resources or perform further attacks within the network where the proxy is used.
Mitigation
The vulnerability is fixed in Fortify Plugin version 19.2.30 [3]. Users should upgrade to this version or later. There is no workaround mentioned in the advisory.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:fortifyMaven | < 19.2.30 | 19.2.30 |
Affected products
2- Range: unspecified
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-xr37-pjfh-qwwcghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2107ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/01/29/1ghsamailing-listx_refsource_MLISTWEB
- jenkins.io/security/advisory/2020-01-29/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-01-29Jenkins Security Advisories · Jan 29, 2020