Description

Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2022-06-22/#SECURITY-2064

Related Vulnerabilities

CVE-2022-43412 Vulnerability in maven package org.jenkins-ci.plugins:generic-webhook-trigger

CVE-2013-1965 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2017-15681 Vulnerability in maven package org.craftercms:crafter-studio

CVE-2021-22053 Vulnerability in maven package org.springframework.cloud:spring-cloud-netflix-hystrix-dashboard

CVE-2020-13920 Vulnerability in maven package org.apache.activemq:activemq-core

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory