Description

Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-08-07/#SECURITY-1428

http://www.openwall.com/lists/oss-security/2019/08/07/1

https://www.zerodayinitiative.com/advisories/ZDI-19-839/

Related Vulnerabilities

CVE-2021-27405 Vulnerability in npm package @progfay/scrapbox-parser

CVE-2022-41965 Vulnerability in maven package org.opencastproject:opencast-engage-paella-player

CVE-2023-22461 Vulnerability in npm package @mattkrick/sanitize-svg

CVE-2015-8854 Vulnerability in maven package org.webjars.bower:marked

CVE-2010-3863 Vulnerability in maven package org.apache.shiro:shiro-all

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Tags

Vendor Advisory Mailing List Third Party Advisory VDB Entry