Description

Jenkins AWS CloudWatch Logs Publisher Plugin stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-04-03/#SECURITY-830

http://www.securityfocus.com/bid/107790

http://www.openwall.com/lists/oss-security/2019/04/12/2

Related Vulnerabilities

CVE-2018-1000198 Vulnerability in maven package com.blackducksoftware.integration:blackduck-hub

CVE-2022-29647 Vulnerability in maven package net.mingsoft:ms-mcms

CVE-2022-25927 Vulnerability in maven package org.webjars.bowergithub.faisalman:ua-parser-js

CVE-2023-38493 Vulnerability in maven package com.linecorp.armeria:armeria

CVE-2023-26491 Vulnerability in npm package rsshub

Severity

Critical

Classification

CWE-311 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Third Party Advisory VDB Entry Mailing List