Description

Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2787

Related Vulnerabilities

CVE-2023-24442 Vulnerability in maven package org.jenkins-ci.plugins:github-pr-coverage-status

CVE-2020-12725 Vulnerability in npm package redash

CVE-2023-37895 Vulnerability in maven package org.apache.jackrabbit:jackrabbit-standalone-components

CVE-2019-10429 Vulnerability in maven package org.jenkins-ci.plugins:gitlab-logo

CVE-2015-2156 Vulnerability in maven package io.netty:netty

Severity

High

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory