Description

Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2787

Related Vulnerabilities

CVE-2018-14042 Vulnerability in maven package org.webjars.npm:bootstrap

CVE-2015-7536 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2020-6468 Vulnerability in maven package org.webjars.npm:electron

CVE-2017-15010 Vulnerability in npm package tough-cookie

CVE-2019-1003022 Vulnerability in maven package org.jvnet.hudson.plugins:monitoring

Severity

High

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory