Description
Jenkins Redgate SQL Change Automation Plugin 2.0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
Remediation
References
https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1598
http://www.openwall.com/lists/oss-security/2019/12/17/1
Related Vulnerabilities
CVE-2021-40660 Vulnerability in maven package org.javadelight:delight-nashorn-sandbox
CVE-2022-45400 Vulnerability in maven package org.jvnet.hudson.plugins:japex
CVE-2018-1000190 Vulnerability in maven package com.blackducksoftware.integration:blackduck-hub
CVE-2022-25844 Vulnerability in npm package angular
CVE-2023-28684 Vulnerability in maven package com.sap.jenkinsci:remote-jobs-view-plugin