Description

Jenkins crittercism-dsym Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1063

http://www.securityfocus.com/bid/107790

http://www.openwall.com/lists/oss-security/2019/04/12/2

Related Vulnerabilities

CVE-2016-4432 Vulnerability in maven package org.apache.qpid:qpid-broker-plugins-amqp-0-8-protocol

CVE-2022-39198 Vulnerability in maven package com.alibaba:hessian-lite

CVE-2022-26612 Vulnerability in maven package org.apache.hadoop:hadoop-common

CVE-2019-10467 Vulnerability in maven package org.jenkins-ci.plugins:sonar-gerrit

CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-hive

Severity

Critical

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Third Party Advisory VDB Entry Mailing List