Description

Jenkins WebSphere Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/04/12/2

http://www.securityfocus.com/bid/107790

https://jenkins.io/security/advisory/2019-04-03/#SECURITY-956

Related Vulnerabilities

CVE-2020-8129 Vulnerability in npm package script-manager

CVE-2020-7755 Vulnerability in npm package dat.gui

CVE-2020-36049 Vulnerability in maven package org.webjars.npm:socket.io-parser

CVE-2022-38666 Vulnerability in maven package io.jenkins.plugins:cavisson-ns-nd-integration

CVE-2020-13822 Vulnerability in maven package org.webjars.npm:elliptic

Severity

Critical

Classification

CWE-311 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory VDB Entry Vendor Advisory