Description

Jenkins jenkins-cloudformation-plugin Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/04/12/2

http://www.securityfocus.com/bid/107790

https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1042

Related Vulnerabilities

CVE-2021-21297 Vulnerability in npm package @node-red/runtime

CVE-2022-42920 Vulnerability in maven package org.apache.bcel:bcel

CVE-2021-23507 Vulnerability in npm package object-path-set

CVE-2021-22137 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2019-15599 Vulnerability in maven package org.webjars.npm:tree-kill

Severity

Critical

Classification

CWE-311 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory VDB Entry Vendor Advisory