Description

An exposure of sensitive information vulnerability exists in Jenkins Tinfoil Security Plugin 1.6.1 and earlier in TinfoilScanRecorder.java that allows attackers with file system access to the Jenkins master to obtain the API secret key stored in this plugin's configuration.

Remediation

References

https://jenkins.io/security/advisory/2018-07-30/#SECURITY-840

Related Vulnerabilities

CVE-2018-14658 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2023-32979 Vulnerability in maven package org.jenkins-ci.plugins:email-ext

CVE-2014-3603 Vulnerability in maven package org.opensaml:opensaml

CVE-2016-0779 Vulnerability in maven package org.apache.tomee:arquillian-tomee-common

CVE-2023-35151 Vulnerability in maven package org.xwiki.platform:xwiki-platform-rest-server

Severity

Medium

Classification

CWE-200 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory