Description

Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2787

Related Vulnerabilities

CVE-2018-20677 Vulnerability in maven package org.webjars.npm:bootstrap

CVE-2021-41532 Vulnerability in maven package org.apache.ozone:ozone-recon

CVE-2017-1000390 Vulnerability in maven package org.jenkins-ci.plugins:jenkins-multijob-plugin

CVE-2017-12611 Vulnerability in maven package org.apache.struts:struts2-core

CVE-2022-46683 Vulnerability in maven package org.jenkins-ci.plugins:google-login

Severity

High

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory