Description

Jenkins Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/04/13/3

https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-2945

Related Vulnerabilities

CVE-2017-12615 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2019-12418 Vulnerability in maven package org.apache.tomcat:tomcat-catalina

CVE-2019-10460 Vulnerability in maven package org.jenkins-ci.plugins:bitbucket-oauth

CVE-2021-34371 Vulnerability in maven package org.neo4j:neo4j

CVE-2019-1003059 Vulnerability in maven package org.jvnet.hudson.plugins:ftppublisher

Severity

Medium

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory