Insecure Storage of Credentials in Jenkins Assembla Auth Plugin by CloudBees
CVE-2019-10280

8.8HIGH

Key Information:

Vendor

Jenkins
Status
Jenkins Assembla Auth Plugin
Vendor
CVE Published:
4 April 2019

What is CVE-2019-10280?

The Jenkins Assembla Auth Plugin, developed by CloudBees, is vulnerable due to the insecure storage of credentials in the global config.xml configuration file on the Jenkins master. This flaw allows users with access to the master file system to view sensitive credentials in an unencrypted format, potentially exposing critical information. Proper security measures and encryption methods should be implemented to mitigate this risk.

Affected Version(s)

Jenkins Assembla Auth Plugin all versions as of 2019-04-03

References

http://www.securityfocus.com/bid/107790
vdb-entryx_refsource_BID
http://www.openwall.com/lists/oss-security/2019/04/12/2
mailing-listx_refsource_MLIST
https://jenkins.io/security/advisory/2019-04-03/#SECURITY...
x_refsource_CONFIRM

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.
CVE-2019-10280 : Insecure Storage of Credentials in Jenkins Assembla Auth Plugin by CloudBees