Description

Jenkins Bitbucket OAuth Plugin 0.9 and earlier stored credentials unencrypted in the global config.xml configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1546

http://www.openwall.com/lists/oss-security/2019/10/23/2

Related Vulnerabilities

CVE-2023-45282 Vulnerability in npm package openmct

CVE-2023-30518 Vulnerability in maven package io.jenkins.plugins:thycotic-secret-server

CVE-2019-16556 Vulnerability in maven package org.jenkins-ci.plugins:rundeck

CVE-2023-33949 Vulnerability in maven package com.liferay.portal:release.portal.bom

CVE-2021-41182 Vulnerability in maven package org.webjars.bowergithub.jquery:jquery-ui

Severity

High

Classification

CWE-522 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory Mailing List Third Party Advisory