Description

Jenkins Bitbucket OAuth Plugin 0.9 and earlier stored credentials unencrypted in the global config.xml configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/10/23/2

https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1546

Related Vulnerabilities

CVE-2018-8041 Vulnerability in maven package org.apache.camel:camel-mail

CVE-2022-23458 Vulnerability in npm package tui-grid

CVE-2019-0205 Vulnerability in maven package org.webjars.npm:thrift

CVE-2020-13942 Vulnerability in maven package org.apache.unomi:unomi-kar

CVE-2020-36185 Vulnerability in maven package com.fasterxml.jackson.core:jackson-databind

Severity

High

Classification

CWE-522 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory