Description

Jenkins Crowd Integration Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/04/12/2

http://www.securityfocus.com/bid/107790

https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1069

Related Vulnerabilities

CVE-2021-39239 Vulnerability in maven package org.apache.jena:jena-core

CVE-2020-13956 Vulnerability in maven package org.apache.httpcomponents.client5:httpclient5

CVE-2022-24437 Vulnerability in npm package git-pull-or-clone

CVE-2020-28487 Vulnerability in maven package org.webjars.npm:vis-timeline

CVE-2020-7691 Vulnerability in maven package org.webjars:jspdf

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory VDB Entry Vendor Advisory