Description

Jenkins Git Changelog Plugin 2.17 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1574

http://www.openwall.com/lists/oss-security/2019/09/25/3

Related Vulnerabilities

CVE-2019-1003070 Vulnerability in maven package org.jenkins-ci.plugins:veracode-scanner

CVE-2016-0763 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2020-9489 Vulnerability in maven package org.apache.tika:tika-parsers

CVE-2023-46659 Vulnerability in maven package org.jenkins-ci.plugins:trac

CVE-2017-2649 Vulnerability in maven package org.jenkins-ci.plugins:active-directory

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory