File Disclosure Vulnerability in Jenkins Credentials Plugin
CVE-2019-10320

4.3MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Credentials Plugin
Vendor
CVE Published:
21 May 2019

Summary

The Jenkins Credentials Plugin versions 2.1.18 and prior are susceptible to a file disclosure vulnerability. This allows authorized users to probe the Jenkins master filesystem, confirming the existence of files at specified paths. Furthermore, attackers can extract sensitive certificate data, particularly PKCS#12 certificates, which could lead to unauthorized access and further exploits within the Jenkins environment. It is critical for users to update to a later version to mitigate this risk and protect sensitive information.

Affected Version(s)

Jenkins Credentials Plugin 2.1.18 and earlier

References

http://www.openwall.com/lists/oss-security/2019/05/21/1
mailing-listx_refsource_MLIST
http://seclists.org/fulldisclosure/2019/May/39
mailing-listx_refsource_FULLDISC
http://www.securityfocus.com/bid/108462
vdb-entryx_refsource_BID

CVSS V3.1

Score:
4.3
Severity:
MEDIUM
Confidentiality:
Low
Integrity:
None
Availability:
Low
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.