Description

Jenkins Dingding[??] Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/10/01/2

https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1423

https://www.zerodayinitiative.com/advisories/ZDI-19-862/

Related Vulnerabilities

CVE-2021-25933 Vulnerability in maven package org.opennms:opennms-webapp

CVE-2019-10362 Vulnerability in maven package io.jenkins:configuration-as-code

CVE-2022-42466 Vulnerability in maven package org.apache.isis.commons:isis-commons

CVE-2022-36095 Vulnerability in maven package org.xwiki.platform:xwiki-platform-web-templates

CVE-2022-41940 Vulnerability in maven package org.webjars.bower:engine.io

Severity

Low

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory VDB Entry