Description

Jenkins Applatix Plugin 1.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1540

http://www.openwall.com/lists/oss-security/2020/02/12/3

Related Vulnerabilities

CVE-2017-7957 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2022-34662 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-api

CVE-2011-2093 Vulnerability in maven package com.adobe.blazeds:blazeds-core

CVE-2022-33980 Vulnerability in maven package org.apache.commons:commons-configuration2

CVE-2022-34662 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-common

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory