Data Exposure Vulnerability in Jenkins Configuration as Code Plugin by Jenkins
CVE-2019-10367

5.5MEDIUM

Key Information:

Vendor
Jenkins
Status
Jenkins Configuration As Code Plugin
Vendor
CVE Published:
7 August 2019

Summary

The Jenkins Configuration as Code Plugin versions up to 1.26 is vulnerable to data exposure due to an incomplete fix associated with a previous vulnerability. Specifically, sensitive values that should remain hidden in the log output are improperly masked, allowing potential unauthorized access to critical configuration information when logging the applied configurations.

Affected Version(s)

Jenkins Configuration as Code Plugin 1.26 and earlier

References

http://www.openwall.com/lists/oss-security/2019/08/07/1
mailing-listx_refsource_MLIST
https://jenkins.io/security/advisory/2019-08-07/#SECURITY...
x_refsource_CONFIRM

CVSS V3.1

Score:
5.5
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Local
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.