Description

An exposure of sensitive information vulnerability exists in Jenkins Tinfoil Security Plugin 1.6.1 and earlier in TinfoilScanRecorder.java that allows attackers with file system access to the Jenkins master to obtain the API secret key stored in this plugin's configuration.

Remediation

References

https://jenkins.io/security/advisory/2018-07-30/#SECURITY-840

Related Vulnerabilities

CVE-2014-0095 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2020-17523 Vulnerability in maven package org.apache.shiro:shiro-web

CVE-2020-2208 Vulnerability in maven package org.jenkins-ci.plugins:slack-uploader

CVE-2020-2095 Vulnerability in maven package org.jenkins-ci.plugins:redgate-sql-ci

CVE-2020-25640 Vulnerability in maven package org.jboss.genericjms:generic-jms-ra-jar

Severity

Medium

Classification

CWE-200 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory