Description
Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master where it could be viewed by users with access to the master file system.
Remediation
References
http://www.openwall.com/lists/oss-security/2019/04/30/5
http://www.securityfocus.com/bid/108159
https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1390
Related Vulnerabilities
CVE-2020-15084 Vulnerability in npm package express-jwt
CVE-2020-6457 Vulnerability in npm package electron
CVE-2021-23411 Vulnerability in npm package anchorme
CVE-2019-10330 Vulnerability in maven package org.jenkins-ci.plugins:gitea
CVE-2022-41704 Vulnerability in maven package org.apache.xmlgraphics:batik-bridge