Description

Jenkins Git Changelog Plugin 2.17 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/09/25/3

https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1574

Related Vulnerabilities

CVE-2022-36894 Vulnerability in maven package org.jenkins-ci.plugins:clif-performance-testing

CVE-2023-28709 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2022-0671 Vulnerability in maven package org.eclipse.lemminx:lemminx-parent

CVE-2019-10247 Vulnerability in maven package org.eclipse.jetty:jetty-server

CVE-2019-1003041 Vulnerability in maven package org.jenkins-ci.plugins:script-security

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory