Description

Jenkins view-cloner Plugin 1.1 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2787

Related Vulnerabilities

CVE-2023-20860 Vulnerability in maven package org.springframework:spring-webmvc

CVE-2023-49674 Vulnerability in maven package io.jenkins.plugins:neuvector-vulnerability-scanner

CVE-2022-41250 Vulnerability in maven package com.meowlomo.jenkins:scm-httpclient

CVE-2019-10312 Vulnerability in maven package org.jenkins-ci.plugins:ansible-tower

CVE-2017-2650 Vulnerability in maven package cprice404:pipeline-classpath

Severity

High

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory