Description
Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master where it could be viewed by users with access to the master file system.
Remediation
References
http://www.openwall.com/lists/oss-security/2019/04/30/5
http://www.securityfocus.com/bid/108159
https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1390
Related Vulnerabilities
CVE-2020-35202 Vulnerability in maven package org.igniterealtime.openfire.plugins:dbaccess
CVE-2020-7608 Vulnerability in maven package org.webjars.npm:yargs-parser
CVE-2020-2217 Vulnerability in maven package org.jenkins-ci.plugins:compatibility-action-storage
CVE-2020-2169 Vulnerability in maven package org.jenkins-ci.plugins:queue-cleanup
CVE-2015-3250 Vulnerability in maven package org.apache.directory.api:apache-ldap-api