Description

Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master where it could be viewed by users with access to the master file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/04/30/5

http://www.securityfocus.com/bid/108159

https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1390

Related Vulnerabilities

CVE-2021-44791 Vulnerability in maven package org.apache.druid:druid

CVE-2022-41930 Vulnerability in maven package org.xwiki.platform:xwiki-platform-user-profile-ui

CVE-2021-31805 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2015-8855 Vulnerability in maven package org.webjars.npm:semver

CVE-2020-9480 Vulnerability in maven package org.apache.spark:spark-network-common_2.11

Severity

Critical

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory VDB Entry Vendor Advisory