Description

Jenkins NeuVector Vulnerability Scanner Plugin 1.5 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1504

http://www.openwall.com/lists/oss-security/2019/09/25/3

Related Vulnerabilities

CVE-2016-10027 Vulnerability in maven package org.igniterealtime.smack:smack-tcp

CVE-2014-8110 Vulnerability in maven package org.apache.activemq:activemq-web-console

CVE-2018-1273 Vulnerability in maven package org.springframework.data:spring-data-commons

CVE-2018-1000863 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2017-15684 Vulnerability in maven package org.craftercms:crafter-studio

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Mailing List