Description

Jenkins Fortify on Demand Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1433

Related Vulnerabilities

CVE-2014-7810 Vulnerability in maven package org.apache.tomcat:tomcat-el-api

CVE-2022-41930 Vulnerability in maven package org.xwiki.platform:xwiki-platform-user-profile-ui

CVE-2023-49299 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-master

CVE-2022-42127 Vulnerability in maven package com.liferay:com.liferay.friendly.url.web

CVE-2023-35153 Vulnerability in maven package org.xwiki.platform:xwiki-platform-appwithinminutes-ui

Severity

Critical

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory