Description

Jenkins Sofy.AI Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1431

http://www.openwall.com/lists/oss-security/2019/10/16/6

Related Vulnerabilities

CVE-2022-23457 Vulnerability in maven package org.owasp.esapi:esapi

CVE-2019-17352 Vulnerability in maven package com.jfinal:jfinal

CVE-2023-31579 Vulnerability in maven package top.tangyh.basic:lamp-core

CVE-2023-50719 Vulnerability in maven package org.xwiki.platform:xwiki-platform-mail-general

CVE-2021-29425 Vulnerability in maven package commons-io:commons-io

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory