Artifactory Plugin 3.5.0 and earlier stores its Artifactory server password in plain text in the global configuration file `org.jfrog.hudson.ArtifactoryBuilder.xml`. This password can be viewed by users with access to the Jenkins controller file system.

Artifactory Plugin 3.6.0 now stores the Artifactory server password encrypted. This change is effective once the global configuration is saved the next time.

Affected Packages

Maven org.jenkins-ci.plugins:artifactory

Affected versions: 0 (fixed in 3.6.0)

Related CVEs

CVE-2020-2164

Key Information

GHSA ID

GHSA-4q47-ph87-fq4f

Published

May 24, 2022 5:12 PM

Last Modified

December 22, 2022 1:54 PM

CVSS Score

2.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:artifactory

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.