Description

Jenkins Weibo Plugin 1.0.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1597

http://www.openwall.com/lists/oss-security/2019/12/17/1

Related Vulnerabilities

CVE-2014-7827 Vulnerability in maven package org.picketlink:picketlink-federation

CVE-2020-2169 Vulnerability in maven package org.jenkins-ci.plugins:queue-cleanup

CVE-2021-41097 Vulnerability in npm package aurelia-path

CVE-2022-43435 Vulnerability in maven package org.jenkins-ci.plugins.plugin:fireline

CVE-2022-24901 Vulnerability in npm package parse-server

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory