Description

Jenkins TraceTronic ECU-TEST Plugin 2.23.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2021-01-13/#SECURITY-2057

Related Vulnerabilities

CVE-2015-5254 Vulnerability in maven package org.apache.activemq:activemq-all

CVE-2017-1000104 Vulnerability in maven package org.jenkins-ci.plugins:config-file-provider

CVE-2018-20677 Vulnerability in maven package org.webjars.npm:bootstrap-sass

CVE-2018-20677 Vulnerability in maven package org.webjars.npm:bootstrap

CVE-2019-0230 Vulnerability in maven package org.apache.struts:struts2-core

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory