Description

Jenkins Maven Release Plugin 0.14.0 and earlier stored credentials unencrypted on the Jenkins master where they could be viewed by users with access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1435

http://www.openwall.com/lists/oss-security/2019/07/31/1

https://www.zerodayinitiative.com/advisories/ZDI-19-835/

Related Vulnerabilities

CVE-2011-0013 Vulnerability in maven package tomcat:catalina

CVE-2023-24998 Vulnerability in maven package commons-fileupload:commons-fileupload

CVE-2022-36881 Vulnerability in maven package org.jenkins-ci.plugins:git-client

CVE-2020-13934 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2022-43670 Vulnerability in maven package org.apache.sling:org.apache.sling.cms

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory VDB Entry