Description
Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master where it could be viewed by users with access to the master file system.
Remediation
References
https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1390
http://www.openwall.com/lists/oss-security/2019/04/30/5
http://www.securityfocus.com/bid/108159
Related Vulnerabilities
CVE-2019-10244 Vulnerability in maven package org.eclipse.kura:kura
CVE-2022-45935 Vulnerability in maven package org.apache.james:apache-mailet-standard
CVE-2022-22984 Vulnerability in npm package snyk-python-plugin
CVE-2020-13947 Vulnerability in maven package org.apache.activemq:activemq-web-console
CVE-2018-14041 Vulnerability in maven package org.webjars.npm:bootstrap