Exposed Credentials in Jenkins Mask Passwords Plugin
CVE-2019-10370

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Mask Passwords Plugin
Vendor: CVE Published:; 7 August 2019

What is CVE-2019-10370?

The Jenkins Mask Passwords Plugin versions up to and including 2.12.0 transmit globally configured passwords in plain text during the submission of configuration forms. This behavior can lead to unintended exposure of sensitive credentials, posing a significant risk to the security of Jenkins instances. Administrators should review configurations and apply updates to ensure that passwords are masked appropriately and not sent in an insecure manner.

Affected Version(s)

Jenkins Mask Passwords Plugin 2.12.0 and earlier

References

http://www.openwall.com/lists/oss-security/2019/08/07/1

mailing-listx_refsource_MLIST

https://jenkins.io/security/advisory/2019-08-07/#SECURITY...

x_refsource_CONFIRM

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

Required

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 7, 2019
Vulnerability Reserved
Mar 29, 2019