CVE-2020-2165
Description
Jenkins Artifactory Plugin 3.6.0 and earlier transmits configured passwords in plain text as part of its global Jenkins configuration form, potentially resulting in their exposure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Artifactory Plugin ≤3.6.0 exposes passwords in plain text in global configuration form, risking credential theft.
The Jenkins Artifactory Plugin versions 3.6.0 and earlier transmit configured passwords in plain text as part of the global Jenkins configuration form. This means that when an administrator views or submits the form, the password field is sent without encryption, potentially exposing it to anyone with access to the form or who can intercept network traffic [1][2].
An attacker who can view the configuration page or monitor network traffic can easily obtain the cleartext passwords. No special privileges are required beyond network access or the ability to view the Jenkins configuration UI. The attack is low complexity and does not require authentication if the attacker can already access the UI [1][3].
This vulnerability could lead to the compromise of Artifactory server credentials, allowing an attacker to authenticate to the artifact repository and potentially access, modify, or delete build artifacts. This could further enable supply chain attacks or lateral movement within the infrastructure [2].
The issue has been fixed in Artifactory Plugin version 3.6.1. Users are strongly advised to upgrade immediately. There is no reported workaround for this vulnerability [3].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:artifactoryMaven | < 3.6.1 | 3.6.1 |
Affected products
3- osv-coords2 versions
< 3.6.1+ 1 more
- (no CPE)range: < 3.6.1
- (no CPE)range: < 3.6.1
- Jenkins project/Jenkins Artifactory Pluginv5Range: 3.6.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-xqf6-5grh-6223ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2165ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/03/25/2ghsamailing-listx_refsource_MLISTWEB
- jenkins.io/security/advisory/2020-03-25/mitrex_refsource_CONFIRM
- jenkins.io/security/advisory/2020-03-25/ghsaWEB
News mentions
1- Jenkins Security Advisory 2020-03-25Jenkins Security Advisories · Mar 25, 2020