Description

Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1636

http://www.openwall.com/lists/oss-security/2019/12/17/1

Related Vulnerabilities

CVE-2022-21680 Vulnerability in npm package marked

CVE-2021-36163 Vulnerability in maven package org.apache.dubbo:dubbo-serialization

CVE-2022-24827 Vulnerability in maven package com.yahoo.elide:elide-datastore-aggregation

CVE-2023-25763 Vulnerability in maven package org.jenkins-ci.plugins:email-ext

CVE-2022-25860 Vulnerability in maven package org.webjars.npm:simple-git

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory