Description

Jenkins Upload to pgyer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/04/12/2

http://www.securityfocus.com/bid/107790

https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1044

Related Vulnerabilities

CVE-2022-34115 Vulnerability in maven package io.dataease:dataease-plugin-common

CVE-2023-2507 Vulnerability in npm package clevertap-cordova

CVE-2019-16541 Vulnerability in maven package org.jenkins-ci.plugins:jira

CVE-2021-44684 Vulnerability in npm package github-todos

CVE-2019-1003041 Vulnerability in maven package org.jenkins-ci.plugins:groovy

Severity

High

Classification

CWE-311 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory VDB Entry Vendor Advisory