Description

Jenkins Data Theorem: CI/CD Plugin 1.3 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1557

http://www.openwall.com/lists/oss-security/2019/09/25/3

Related Vulnerabilities

CVE-2022-2216 Vulnerability in maven package org.webjars.npm:parse-url

CVE-2022-24196 Vulnerability in maven package com.itextpdf:itext7-core

CVE-2023-38695 Vulnerability in npm package @simonsmith/cypress-image-snapshot

CVE-2022-36437 Vulnerability in maven package com.hazelcast:hazelcast

CVE-2019-5448 Vulnerability in npm package yarn

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory