Description
Jenkins Debian Package Builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file on the Jenkins master where it can be viewed by users with access to the master file system.
Remediation
References
http://www.openwall.com/lists/oss-security/2020/02/12/3
https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1558
Related Vulnerabilities
CVE-2019-10296 Vulnerability in maven package com.urbancode.ds.jenkins.plugins:sra-deploy
CVE-2023-29246 Vulnerability in maven package org.apache.openmeetings:openmeetings-web
CVE-2022-34113 Vulnerability in maven package io.dataease:dataease-plugin-common
CVE-2021-21640 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2020-28469 Vulnerability in maven package org.webjars.bowergithub.es128:glob-parent