Description

Jenkins Google Calendar Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1572

http://www.openwall.com/lists/oss-security/2019/09/25/3

Related Vulnerabilities

CVE-2010-1157 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2022-43766 Vulnerability in maven package org.apache.iotdb:tsfile

CVE-2019-10364 Vulnerability in maven package org.jenkins-ci.plugins:ec2

CVE-2023-26106 Vulnerability in npm package dot-lens

CVE-2023-47324 Vulnerability in maven package org.silverpeas.core:silverpeas-core-rs

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory