Description

Jenkins Trac Publisher Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-04-03/#SECURITY-842

http://www.securityfocus.com/bid/107790

http://www.openwall.com/lists/oss-security/2019/04/12/2

Related Vulnerabilities

CVE-2023-44400 Vulnerability in npm package uptime-kuma

CVE-2022-43405 Vulnerability in maven package io.jenkins.plugins:pipeline-groovy-lib

CVE-2019-10314 Vulnerability in maven package org.jenkins-ci.plugins:koji

CVE-2022-4492 Vulnerability in maven package io.undertow:undertow-core

CVE-2021-44791 Vulnerability in maven package org.apache.druid:druid

Severity

Critical

Classification

CWE-311 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Third Party Advisory VDB Entry Mailing List