Description

Jenkins TestComplete support Plugin 2.4.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/07/02/7

https://jenkins.io/security/advisory/2020-07-02/#SECURITY-1686

Related Vulnerabilities

CVE-2020-5245 Vulnerability in maven package io.dropwizard:dropwizard-validation

CVE-2015-9242 Vulnerability in maven package org.webjars.npm:ecstatic

CVE-2022-47551 Vulnerability in maven package io.apiman:apiman-manager-api-rest-impl

CVE-2020-28502 Vulnerability in npm package xmlhttprequest-ssl

CVE-2018-16461 Vulnerability in npm package libnmap

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Third Party Advisory Vendor Advisory