Description

Jenkins Azure Event Grid Build Notifier Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1544

http://www.openwall.com/lists/oss-security/2019/09/25/3

Related Vulnerabilities

CVE-2023-2251 Vulnerability in npm package yaml

CVE-2023-24447 Vulnerability in maven package org.jenkins-ci.plugins:rabbitmq-consumer

CVE-2022-39266 Vulnerability in npm package isolated-vm

CVE-2022-36100 Vulnerability in maven package org.xwiki.platform:xwiki-platform-tag-ui

CVE-2020-16041 Vulnerability in maven package org.webjars.npm:electron

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory