Description

Jenkins TestComplete support Plugin 2.4.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/07/02/7

https://jenkins.io/security/advisory/2020-07-02/#SECURITY-1686

Related Vulnerabilities

CVE-2019-19771 Vulnerability in npm package bpi39

CVE-2018-20801 Vulnerability in maven package org.webjars:highcharts

CVE-2018-1331 Vulnerability in maven package org.apache.storm:storm-core

CVE-2020-7764 Vulnerability in npm package find-my-way

CVE-2019-1003030 Vulnerability in maven package org.jenkins-ci.plugins.workflow:workflow-cps

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Third Party Advisory Vendor Advisory