Description

Jenkins WildFly Deployer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/04/12/2

http://www.securityfocus.com/bid/107790

https://jenkins.io/security/advisory/2019-04-03/#SECURITY-961

Related Vulnerabilities

CVE-2021-36162 Vulnerability in maven package org.apache.dubbo:dubbo-cluster

CVE-2022-25167 Vulnerability in maven package org.apache.flume:flume-parent

CVE-2022-41248 Vulnerability in maven package org.jenkins-ci.plugins:bigpanda-jenkins

CVE-2021-38296 Vulnerability in maven package org.apache.spark:spark-core

CVE-2022-39249 Vulnerability in npm package matrix-js-sdk

Severity

Critical

Classification

CWE-311 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory VDB Entry Vendor Advisory