Description
Jenkins Trac Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
Remediation
References
https://jenkins.io/security/advisory/2019-04-03/#SECURITY-842
http://www.securityfocus.com/bid/107790
http://www.openwall.com/lists/oss-security/2019/04/12/2
Related Vulnerabilities
CVE-2022-28135 Vulnerability in maven package org.jvnet.hudson.plugins:instant-messaging
CVE-2015-0226 Vulnerability in maven package org.apache.ws.security:wss4j
CVE-2021-24122 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core
CVE-2023-7078 Vulnerability in npm package miniflare
CVE-2022-22984 Vulnerability in npm package @snyk/snyk-hex-plugin