Stored Credential Exposure in Jenkins Gogs Plugin
CVE-2019-10348

8.8HIGH

Key Information:

Vendor

Jenkins
Status
Jenkins Gogs Plugin
Vendor
CVE Published:
11 July 2019

What is CVE-2019-10348?

The Jenkins Gogs Plugin introduces a vulnerability where stored credentials are kept unencrypted in the job config.xml files on the Jenkins master. This configuration flaw allows users with Extended Read permission, or access to the master file system, to view sensitive information. Proper measures should be taken to secure credential storage and prevent unauthorized access, ensuring that sensitive data remains protected against potential exploitation.

Affected Version(s)

Jenkins Gogs Plugin 1.0.14 and earlier

References

http://www.openwall.com/lists/oss-security/2019/07/11/4
mailing-listx_refsource_MLIST
http://www.securityfocus.com/bid/109156
vdb-entryx_refsource_BID
https://www.zerodayinitiative.com/advisories/ZDI-19-837/
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.