Description

An exposure of sensitive information vulnerability exists in Jenkins Tinfoil Security Plugin 1.6.1 and earlier in TinfoilScanRecorder.java that allows attackers with file system access to the Jenkins master to obtain the API secret key stored in this plugin's configuration.

Remediation

References

https://jenkins.io/security/advisory/2018-07-30/#SECURITY-840

Related Vulnerabilities

CVE-2023-37478 Vulnerability in npm package @pnpm/linux-arm64

CVE-2022-36891 Vulnerability in maven package org.jenkins-ci.plugins:deployer-framework

CVE-2022-44729 Vulnerability in maven package org.apache.xmlgraphics:batik-svgrasterizer

CVE-2020-1758 Vulnerability in maven package org.keycloak:keycloak-services

CVE-2021-26074 Vulnerability in maven package com.atlassian.connect:atlassian-connect-spring-boot-starter

Severity

Medium

Classification

CWE-200 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory