Description

Jenkins ElasTest Plugin 1.2.1 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2020/09/16/3

https://www.jenkins.io/security/advisory/2020-09-16/#SECURITY-2014

Related Vulnerabilities

CVE-2015-8855 Vulnerability in maven package org.webjars.bower:semver

CVE-2022-39299 Vulnerability in npm package @node-saml/node-saml

CVE-2015-3250 Vulnerability in maven package org.apache.directory.api:api-ldap-model

CVE-2018-1000844 Vulnerability in maven package com.squareup.retrofit2:converter-jaxb

CVE-2017-16216 Vulnerability in npm package tencent-server

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Third Party Advisory Vendor Advisory