Description

Jenkins Fortify on Demand Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1433

Related Vulnerabilities

CVE-2016-4987 Vulnerability in maven package com.tupilabs.image_gallery:image-gallery

CVE-2021-43297 Vulnerability in maven package com.alibaba:hessian-lite

CVE-2022-38370 Vulnerability in maven package org.apache.iotdb:iotdb-grafana-connector

CVE-2020-13956 Vulnerability in maven package org.apache.httpcomponents.client5:httpclient5

CVE-2022-34190 Vulnerability in maven package eu.markov.jenkins.plugin.mvnmeta:maven-metadata-plugin

Severity

Critical

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory