Description

Jenkins ECX Copy Data Management Plugin 1.9 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1549

http://www.openwall.com/lists/oss-security/2020/02/12/3

Related Vulnerabilities

CVE-2020-16041 Vulnerability in npm package electron

CVE-2022-42466 Vulnerability in maven package org.apache.isis.commons:isis-commons

CVE-2022-36904 Vulnerability in maven package org.jenkins-ci.plugins:repository-connector

CVE-2017-12612 Vulnerability in maven package org.apache.spark:spark-core_2.10

CVE-2011-3375 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory