Description

Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2787

Related Vulnerabilities

CVE-2022-43431 Vulnerability in maven package com.compuware.jenkins:compuware-strobe-measurement

CVE-2017-15703 Vulnerability in maven package org.apache.nifi:nifi-web-api

CVE-2023-32981 Vulnerability in maven package org.jenkins-ci.plugins:pipeline-utility-steps

CVE-2008-6504 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2020-2131 Vulnerability in maven package org.jenkins-ci.plugins:harvest

Severity

High

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory