Description

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2022/11/15/4

https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2912

Related Vulnerabilities

CVE-2020-6451 Vulnerability in npm package electron

CVE-2023-34624 Vulnerability in maven package net.sourceforge.htmlcleaner:htmlcleaner

CVE-2022-38666 Vulnerability in maven package io.jenkins.plugins:cavisson-ns-nd-integration

CVE-2020-7755 Vulnerability in npm package dat.gui

CVE-2022-34305 Vulnerability in maven package org.apache.tomcat:tomcat

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory