Description

Jenkins Zulip Plugin 1.1.0 and earlier stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/10/23/2

https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1621

Related Vulnerabilities

CVE-2019-17566 Vulnerability in maven package org.apache.xmlgraphics:batik-transcoder

CVE-2017-4952 Vulnerability in maven package com.vmware.xenon:xenon-common

CVE-2022-21191 Vulnerability in npm package global-modules-path

CVE-2021-41164 Vulnerability in maven package org.webjars.bowergithub.ckeditor:ckeditor4

CVE-2022-23107 Vulnerability in maven package io.jenkins.plugins:warnings-ng

Severity

High

Classification

CWE-522 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Tags

Mailing List Third Party Advisory Vendor Advisory