Description

Jenkins ElasTest Plugin 1.2.1 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/09/16/3

https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-2014

Related Vulnerabilities

CVE-2023-37943 Vulnerability in maven package org.jenkins-ci.plugins:active-directory

CVE-2021-33041 Vulnerability in npm package vmd

CVE-2020-4075 Vulnerability in maven package org.webjars.npm:electron

CVE-2021-23438 Vulnerability in npm package mpath

CVE-2020-2256 Vulnerability in maven package org.jenkins-ci.plugins:pipeline-maven-parent

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Third Party Advisory Vendor Advisory