Description

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by attackers with Extended Read permission, or access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2022-11-15/#SECURITY-2912

http://www.openwall.com/lists/oss-security/2022/11/15/4

Related Vulnerabilities

CVE-2017-12647 Vulnerability in maven package com.liferay:com.liferay.knowledge.base.service

CVE-2020-14359 Vulnerability in maven package org.keycloak:keycloak-core

CVE-2023-37903 Vulnerability in maven package org.webjars.npm:vm2

CVE-2016-5019 Vulnerability in maven package org.apache.myfaces.trinidad:trinidad-impl

CVE-2022-36034 Vulnerability in npm package nitrado.js

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory