Unencrypted Credential Storage Vulnerability in Jenkins Maven Release Plugin
CVE-2019-10361

5.5MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Maven Release Plugin
Vendor
CVE Published:
31 July 2019

Summary

The Jenkins Maven Release Plugin version 0.14.0 and earlier suffers from a vulnerability where credentials are stored unencrypted on the Jenkins master. This lack of encryption allows users with access to the master file system to view sensitive credentials, posing a significant security risk. It is essential for Jenkins users to ensure they are running an updated version to mitigate potential unauthorized access.

Affected Version(s)

Jenkins Maven Release Plugin 0.14.0 and earlier

References

http://www.openwall.com/lists/oss-security/2019/07/31/1
mailing-listx_refsource_MLIST
https://www.zerodayinitiative.com/advisories/ZDI-19-835/
x_refsource_MISC
https://jenkins.io/security/advisory/2019-07-31/#SECURITY...
x_refsource_CONFIRM

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.