Insufficiently Protected Credentials in Jenkins Crowd 2 Integration Plugin
CVE-2018-1000423

7.8HIGH

Key Information:

Vendor: Atlassian
Status: Crowd2
Vendor: CVE Published:; 9 January 2019

Summary

A flaw in the Jenkins Crowd 2 Integration Plugin allows attackers with local file system access to retrieve sensitive credentials utilized for connecting to Crowd 2. This vulnerability resides in the CrowdSecurityRealm.java and CrowdConfigurationService.java files, emphasizing the need for enhanced security measures to protect sensitive data effectively.

References

http://www.securityfocus.com/bid/106532

vdb-entryx_refsource_BID

https://jenkins.io/security/advisory/2018-09-25/#SECURITY...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 9, 2019
Vulnerability Reserved
Jan 9, 2019