Description

Jenkins Port Allocator Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/07/11/4

http://www.securityfocus.com/bid/109156

https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1441

https://www.zerodayinitiative.com/advisories/ZDI-19-838/

Related Vulnerabilities

CVE-2019-10779 Vulnerability in maven package stroom:stroom-app

CVE-2021-4279 Vulnerability in maven package org.webjars.npm:fast-json-patch

CVE-2018-1304 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2021-21353 Vulnerability in maven package org.webjars.npm:pug

CVE-2019-1003091 Vulnerability in maven package com.soasta.jenkins:cloudtest

Severity

Critical

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory VDB Entry Vendor Advisory