Description

Jenkins Jira Issue Updater Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/04/12/2

http://www.securityfocus.com/bid/107790

https://jenkins.io/security/advisory/2019-04-03/#SECURITY-837

Related Vulnerabilities

CVE-2020-15096 Vulnerability in npm package electron

CVE-2020-26149 Vulnerability in npm package nats.ws

CVE-2022-24719 Vulnerability in npm package fluture-node

CVE-2022-33980 Vulnerability in maven package org.apache.commons:commons-configuration2

CVE-2021-21345 Vulnerability in maven package com.thoughtworks.xstream:xstream

Severity

Critical

Classification

CWE-311 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory VDB Entry Vendor Advisory