Description

Jenkins Assembla Auth Plugin stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/04/12/2

http://www.securityfocus.com/bid/107790

https://jenkins.io/security/advisory/2019-04-03/#SECURITY-1093

Related Vulnerabilities

CVE-2022-43413 Vulnerability in maven package org.jenkins-ci.plugins:job-import-plugin

CVE-2019-5427 Vulnerability in maven package c3p0:c3p0

CVE-2019-10281 Vulnerability in maven package org.jenkins-ci.plugins:relution-publisher

CVE-2023-36820 Vulnerability in maven package io.micronaut.security:micronaut-security-oauth2

CVE-2022-27340 Vulnerability in maven package net.mingsoft:ms-mcms

Severity

Critical

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory VDB Entry Vendor Advisory