Unencrypted Credential Storage in Jenkins IceScrum Plugin by Jenkins
CVE-2019-10443

8.8HIGH

Key Information:

Vendor
Jenkins
Status
Jenkins Icescrum Plugin
Vendor
CVE Published:
16 October 2019

Summary

The Jenkins IceScrum Plugin versions 1.1.4 and earlier have a vulnerability that allows stored credentials to be kept unencrypted in the job config.xml files on the Jenkins master. This poses a risk as users with Extended Read permission or access to the master file system can view sensitive credentials, potentially leading to unauthorized access and data breaches. It is crucial for organizations to address this issue to enhance their security posture.

Affected Version(s)

Jenkins iceScrum Plugin 1.1.4 and earlier

References

https://jenkins.io/security/advisory/2019-10-16/#SECURITY...
x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2019/10/16/6
mailing-listx_refsource_MLIST
https://www.zerodayinitiative.com/advisories/ZDI-19-933/
x_refsource_MISC

CVSS V3.1

Score:
8.8
Severity:
HIGH
Confidentiality:
High
Integrity:
High
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
Low
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.