Description

Jenkins CONS3RT Plugin 1.0.0 and earlier stores Cons3rt API token unencrypted in job config.xml files on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2022/09/21/5

https://www.jenkins.io/security/advisory/2022-09-21/#SECURITY-2759

Related Vulnerabilities

CVE-2020-15999 Vulnerability in maven package org.webjars.npm:electron

CVE-2020-7760 Vulnerability in maven package org.webjars.npm:codemirror

CVE-2020-7640 Vulnerability in npm package fun-map

CVE-2022-39263 Vulnerability in npm package @next-auth/upstash-redis-adapter

CVE-2023-25764 Vulnerability in maven package org.jenkins-ci.plugins:email-ext

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory