CVE-2020-2232
Description
Jenkins Email Extension Plugin 2.72 and 2.73 transmits and displays the SMTP password in plain text as part of the global Jenkins configuration form, potentially resulting in its exposure.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Email Extension Plugin 2.72 and 2.73 stores and displays the SMTP password in plaintext in its global configuration, exposing it to authorized users.
Vulnerability
Description
Jenkins Email Extension Plugin versions 2.72 and 2.73 store the SMTP password in plain text within its global configuration file hudson.plugins.emailext.ExtendedEmailPublisher.xml on the Jenkins controller. The password is also transmitted and displayed in plain text on the global Jenkins configuration form, potentially leading to exposure [1][2][3].
Exploitation
An attacker with access to the Jenkins controller's file system, or with the ability to view the global configuration page (requiring Overall/Administer permission), can retrieve the plain-text SMTP password. No authentication is needed beyond standard Jenkins credentials to view the configuration form if the user has the necessary administrative privileges [3][4].
Impact
If exploited, the plain-text SMTP password can be used by an attacker to send email messages via the configured SMTP server, potentially for phishing, spam, or other malicious purposes. The confidentiality of the email server credentials is compromised [3][4].
Mitigation
The vulnerability is fixed in Email Extension Plugin version 2.74. Users should upgrade to this version or later. As a workaround, administrators should ensure only trusted users have access to Jenkins global configuration and the controller's file system [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.jenkins-ci.plugins:email-extMaven | >= 2.72, < 2.74 | 2.74 |
Affected products
2- Jenkins project/Jenkins Email Extension Pluginv5Range: 2.72
Patches
1b51497d044e3[SECURITY-1975]
1 file changed · +2 −2
src/main/resources/hudson/plugins/emailext/MailAccount/config.groovy+2 −2 modified@@ -24,12 +24,12 @@ f.advanced { f.textbox() } f.entry(field: "smtpPassword", title: _("SMTP Password")) { - f.textbox() + f.password() } f.entry(field: "useSsl", title: _("Use SSL")) { f.checkbox() } f.entry(field: "advProperties", title: _("Advanced Email Properties")) { f.textarea() } -} \ No newline at end of file +}
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
5- github.com/advisories/GHSA-5c4v-vh95-c67cghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-2232ghsaADVISORY
- www.openwall.com/lists/oss-security/2020/08/12/4ghsamailing-listx_refsource_MLISTWEB
- github.com/jenkinsci/email-ext-plugin/commit/b51497d044e36e950d698a79bb781ef4c83a251cghsaWEB
- jenkins.io/security/advisory/2020-08-12/ghsax_refsource_CONFIRMWEB
News mentions
1- Jenkins Security Advisory 2020-08-12Jenkins Security Advisories · Aug 12, 2020