Description

Jenkins Extensive Testing Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1432

Related Vulnerabilities

CVE-2014-0109 Vulnerability in maven package org.apache.cxf:cxf-bundle-minimal

CVE-2021-42357 Vulnerability in maven package org.apache.knox:gateway-service-knoxsso

CVE-2023-33941 Vulnerability in maven package com.liferay:com.liferay.oauth2.provider.rest

CVE-2018-12585 Vulnerability in maven package org.opcfoundation.ua:opc-ua-stack

CVE-2023-32991 Vulnerability in maven package io.jenkins.plugins:miniorange-saml-sp

Severity

Critical

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Vendor Advisory