Description

Jenkins Upload to pgyer Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/04/12/2

http://www.securityfocus.com/bid/107790

https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1044

Related Vulnerabilities

CVE-2023-37947 Vulnerability in maven package org.openshift.jenkins:openshift-login

CVE-2020-7623 Vulnerability in npm package jscover

CVE-2020-14195 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

CVE-2020-15126 Vulnerability in npm package parse-server

CVE-2019-10281 Vulnerability in maven package org.jenkins-ci.plugins:relution-publisher

Severity

High

Classification

CWE-311 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory VDB Entry Vendor Advisory