Description

Jenkins Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1438

http://www.openwall.com/lists/oss-security/2019/07/11/4

http://www.securityfocus.com/bid/109156

https://www.zerodayinitiative.com/advisories/ZDI-19-837/

Related Vulnerabilities

CVE-2018-1999020 Vulnerability in maven package org.onosproject:onos-core-common

CVE-2021-25864 Vulnerability in npm package node-red-contrib-huemagic

CVE-2023-41887 Vulnerability in maven package org.openrefine:database

CVE-2023-26156 Vulnerability in npm package chromedriver

CVE-2021-25646 Vulnerability in maven package org.apache.druid:druid-core

Severity

Critical

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Mailing List Third Party Advisory VDB Entry