Description

Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2787

Related Vulnerabilities

CVE-2020-7794 Vulnerability in npm package buns

CVE-2018-16131 Vulnerability in maven package com.typesafe.akka:akka-http-core_2.11

CVE-2022-34178 Vulnerability in maven package org.jenkins-ci.plugins:embeddable-build-status

CVE-2021-22051 Vulnerability in maven package org.springframework.cloud:spring-cloud-gateway-server

CVE-2022-23710 Vulnerability in maven package org.elasticsearch:elasticsearch

Severity

High

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory