Description

Jenkins Crowd Integration Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1069

http://www.securityfocus.com/bid/107790

http://www.openwall.com/lists/oss-security/2019/04/12/2

Related Vulnerabilities

CVE-2021-40823 Vulnerability in npm package matrix-js-sdk

CVE-2023-23936 Vulnerability in npm package undici

CVE-2017-1000093 Vulnerability in maven package org.jenkins-ci.plugins:pollscm

CVE-2014-0193 Vulnerability in maven package org.onosproject:onos-netconf-provider-device

CVE-2021-34801 Vulnerability in npm package valine

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Third Party Advisory VDB Entry Mailing List