Unencrypted Password Storage in Jenkins Nomad Plugin by CloudBees
CVE-2021-21681

5.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Nomad Plugin
Vendor: CVE Published:; 31 August 2021

Summary

The Jenkins Nomad Plugin versions 0.7.4 and earlier expose a significant vulnerability by storing Docker passwords in an unencrypted format within the global config.xml file on the Jenkins controller. This practice allows users with file system access to the controller to easily view sensitive information like Docker credentials, potentially compromising system integrity and security. It is crucial for users of this plugin to upgrade to a version that addresses this vulnerability to safeguard their environments.

Affected Version(s)

Jenkins Nomad Plugin <= 0.7.4

References

https://www.jenkins.io/security/advisory/2021-08-31/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2021/08/31/1

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Local

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Aug 31, 2021
Vulnerability Reserved
Jan 4, 2021