Description

Jenkins Extensive Testing Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1432

Related Vulnerabilities

CVE-2022-39135 Vulnerability in maven package org.apache.calcite:calcite-core

CVE-2020-2292 Vulnerability in maven package org.jenkins-ci.plugins:release

CVE-2017-7661 Vulnerability in maven package org.apache.cxf.fediz:fediz-oidc

CVE-2020-27838 Vulnerability in maven package org.keycloak:keycloak-server-spi-private

CVE-2022-36883 Vulnerability in maven package org.jenkins-ci.plugins:git

Severity

Critical

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory