Description

Jenkins Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-2945

http://www.openwall.com/lists/oss-security/2023/04/13/3

Related Vulnerabilities

CVE-2023-38507 Vulnerability in npm package @strapi/plugin-users-permissions

CVE-2018-1000151 Vulnerability in maven package org.jenkins-ci.plugins:vsphere-cloud

CVE-2017-1000399 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2012-5887 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2022-0624 Vulnerability in npm package parse-path

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory