Unencrypted Credential Storage in Jenkins mabl Plugin by CloudBees
CVE-2019-10283

8.8HIGH

Key Information:

Vendor
Jenkins
Status
Jenkins Mabl Plugin
Vendor
CVE Published:
4 April 2019

Summary

The Jenkins mabl Plugin exposes user credentials by storing them unencrypted in job configuration files on the Jenkins master. This vulnerability allows users with Extended Read permission, or those who can access the master file system, to view sensitive credentials, significantly increasing the risk of unauthorized access and data breaches. It is crucial for organizations using the affected versions to implement security measures, such as restricting access to the Jenkins master and ensuring proper credential management practices.

Affected Version(s)

Jenkins mabl Plugin all versions as of 2019-04-03

References

http://www.securityfocus.com/bid/107790
vdb-entryx_refsource_BID
http://www.openwall.com/lists/oss-security/2019/04/12/2
mailing-listx_refsource_MLIST
https://jenkins.io/security/advisory/2019-04-03/#SECURITY...
x_refsource_CONFIRM

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.