Description

Jenkins Jigomerge Plugin 0.9 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2083

Related Vulnerabilities

CVE-2023-33947 Vulnerability in maven package com.liferay.portal:release.portal.bom

CVE-2022-40955 Vulnerability in maven package org.apache.inlong:sort-connector-jdbc

CVE-2023-31206 Vulnerability in maven package org.apache.inlong:manager-dao

CVE-2023-35145 Vulnerability in maven package org.jenkins-ci.plugins:sonargraph-integration

CVE-2019-10157 Vulnerability in npm package keycloak-connect

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory