Description

Jenkins Redgate SQL Change Automation Plugin 2.0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2019/12/17/1

https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1598

Related Vulnerabilities

CVE-2019-18350 Vulnerability in npm package ant-design-pro

CVE-2019-10173 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2022-46175 Vulnerability in maven package org.webjars.bower:json5

CVE-2022-23496 Vulnerability in maven package nl.basjes.parse.useragent:yauaa-beam-sql

CVE-2022-28220 Vulnerability in maven package org.apache.james:james-server-protocols-imap4

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory