Description

An exposure of sensitive information vulnerability exists in Jenkins Tinfoil Security Plugin 1.6.1 and earlier in TinfoilScanRecorder.java that allows attackers with file system access to the Jenkins master to obtain the API secret key stored in this plugin's configuration.

Remediation

References

https://jenkins.io/security/advisory/2018-07-30/#SECURITY-840

Related Vulnerabilities

CVE-2014-4611 Vulnerability in maven package net.jpountz.lz4:lz4

CVE-2022-4147 Vulnerability in maven package io.quarkus:quarkus-vertx-http

CVE-2019-11358 Vulnerability in npm package jquery

CVE-2023-24439 Vulnerability in maven package org.jenkins-ci.plugins:jira-steps

CVE-2019-1003025 Vulnerability in maven package org.jenkins-ci.plugins:cloudfoundry

Severity

Medium

Classification

CWE-200 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory