Description
Jenkins Redgate SQL Change Automation Plugin 2.0.4 and earlier stored an API key unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
Remediation
References
https://jenkins.io/security/advisory/2020-01-15/#SECURITY-1696
Related Vulnerabilities
CVE-2023-39153 Vulnerability in maven package org.jenkins-ci.plugins:gitlab-oauth
CVE-2019-3772 Vulnerability in maven package org.springframework.integration:spring-integration-xml
CVE-2023-41327 Vulnerability in maven package org.wiremock:wiremock-webhooks-extension
CVE-2023-29471 Vulnerability in maven package com.typesafe.akka:akka-stream-kafka_3
CVE-2020-35451 Vulnerability in maven package org.apache.oozie:oozie-tools