Description

Jenkins Maven Release Plugin 0.14.0 and earlier stored credentials unencrypted on the Jenkins master where they could be viewed by users with access to the master file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/07/31/1

https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1435

https://www.zerodayinitiative.com/advisories/ZDI-19-835/

Related Vulnerabilities

CVE-2020-25638 Vulnerability in maven package org.hibernate:hibernate-core

CVE-2023-36478 Vulnerability in maven package org.eclipse.jetty.http2:http2-hpack

CVE-2020-12648 Vulnerability in maven package org.webjars.bower:tinymce

CVE-2019-13235 Vulnerability in maven package org.opencms:opencms-core

CVE-2021-42697 Vulnerability in maven package com.typesafe.akka:akka-http_2.12

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory VDB Entry