Credential Storage Vulnerability in Jenkins WildFly Deployer Plugin
CVE-2019-1003072

8.8HIGH

Key Information:

Vendor

Jenkins
Status
Jenkins Wildfly Deployer Plugin
Vendor
CVE Published:
4 April 2019

What is CVE-2019-1003072?

The Jenkins WildFly Deployer Plugin has a significant vulnerability that allows credentials to be stored unencrypted in the job config.xml files located on the Jenkins master. This poses a risk as these credentials can potentially be viewed by any user who has been granted Extended Read permission or has access to the master file system. This situation raises concerns regarding the confidentiality and integrity of sensitive information managed through Jenkins.

Affected Version(s)

Jenkins WildFly Deployer Plugin all versions as of 2019-04-03

References

http://www.securityfocus.com/bid/107790
vdb-entryx_refsource_BID
http://www.openwall.com/lists/oss-security/2019/04/12/2
mailing-listx_refsource_MLIST
https://jenkins.io/security/advisory/2019-04-03/#SECURITY...
x_refsource_CONFIRM

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.