Unencrypted Credential Storage Vulnerability in Jenkins SQL Change Automation Plugin
CVE-2019-16557

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Redgate Sql Change Automation Plugin
Vendor: CVE Published:; 17 December 2019

Summary

The Jenkins Redgate SQL Change Automation Plugin versions up to 2.0.3 exhibit a security flaw wherein user credentials are stored in an unencrypted format within the job config.xml files. This configuration places sensitive information at risk, as individuals with Extended Read permissions, or those with direct access to the Jenkins master's filesystem, can potentially view these credentials. This could lead to unauthorized access to the Jenkins environment and associated data, thereby compromising the security posture of the affected systems.

Affected Version(s)

Jenkins Redgate SQL Change Automation Plugin <= 2.0.3

References

https://jenkins.io/security/advisory/2019-12-17/#SECURITY...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2019/12/17/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Dec 17, 2019
Vulnerability Reserved
Sep 20, 2019