Description

Jenkins TestFairy Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1062

http://www.securityfocus.com/bid/107790

http://www.openwall.com/lists/oss-security/2019/04/12/2

Related Vulnerabilities

CVE-2022-45393 Vulnerability in maven package org.jenkins-ci.plugins:delete-log-plugin

CVE-2021-26544 Vulnerability in maven package org.apache.livy:livy-server

CVE-2023-40826 Vulnerability in maven package org.pf4j:pf4j

CVE-2022-46684 Vulnerability in maven package com.checkmarx.jenkins:checkmarx

CVE-2020-35510 Vulnerability in maven package org.jboss.remoting:jboss-remoting

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Third Party Advisory VDB Entry Mailing List