Description
Jenkins NeoLoad Plugin 2.2.5 and earlier stored credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
Remediation
References
http://www.openwall.com/lists/oss-security/2019/10/16/6
https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1427
https://www.zerodayinitiative.com/advisories/ZDI-19-932/
Related Vulnerabilities
CVE-2021-27906 Vulnerability in maven package org.apache.pdfbox:pdfbox
CVE-2023-45133 Vulnerability in maven package org.webjars.npm:babel__traverse
CVE-2022-1295 Vulnerability in maven package org.webjars.bower:fullpage.js
CVE-2023-49674 Vulnerability in maven package io.jenkins.plugins:neuvector-vulnerability-scanner
CVE-2021-27644 Vulnerability in maven package org.apache.dolphinscheduler:dolphinscheduler-server