Description

Jenkins CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2759

http://www.openwall.com/lists/oss-security/2022/09/21/5

Related Vulnerabilities

CVE-2011-4343 Vulnerability in maven package org.apache.myfaces.core.internal:myfaces-impl-shared

CVE-2022-43407 Vulnerability in maven package org.jenkins-ci.plugins:pipeline-input-step

CVE-2022-24614 Vulnerability in maven package com.drewnoakes:metadata-extractor

CVE-2012-0047 Vulnerability in maven package org.apache.wicket:wicket

CVE-2018-17184 Vulnerability in maven package org.apache.syncope:syncope-core

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory