Description

Jenkins Violation Comments to GitLab Plugin 2.28 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1577

http://www.openwall.com/lists/oss-security/2019/09/25/3

Related Vulnerabilities

CVE-2022-34805 Vulnerability in maven package org.jenkins-ci.plugins:skype-notifier

CVE-2011-2731 Vulnerability in maven package org.springframework.security:spring-security-core

CVE-2022-45383 Vulnerability in maven package org.jenkins-ci.plugins:support-core

CVE-2022-25885 Vulnerability in npm package muhammara

CVE-2021-21120 Vulnerability in npm package electron

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory