Description
Jenkins Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
Remediation
References
https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1438
http://www.openwall.com/lists/oss-security/2019/07/11/4
http://www.securityfocus.com/bid/109156
https://www.zerodayinitiative.com/advisories/ZDI-19-837/
Related Vulnerabilities
CVE-2018-1000188 Vulnerability in maven package org.jenkins-ci.plugins:cas-plugin
CVE-2018-11093 Vulnerability in npm package @ckeditor/ckeditor5-link
CVE-2021-36372 Vulnerability in maven package org.apache.ozone:ozone-common
CVE-2016-3102 Vulnerability in maven package org.jenkins-ci.plugins:script-security
CVE-2012-2098 Vulnerability in maven package org.apache.commons:commons-compress