Unencrypted Secret File Credentials Stored on Jenkins Controller File System
CVE-2024-39459

Currently unrated

Key Information:

Vendor: Jenkins
Status: Jenkins Plain Credentials Plugin
Vendor: CVE Published:; 26 June 2024

Summary

In rare cases Jenkins Plain Credentials Plugin 182.v468b_97b_9dcb_8 and earlier stores secret file credentials unencrypted (only Base64 encoded) on the Jenkins controller file system, where they can be viewed by users with access to the Jenkins controller file system (global credentials) or with Item/Extended Read permission (folder-scoped credentials).

Affected Version(s)

Jenkins Plain Credentials Plugin 0 <= 182.v468b_97b_9dcb_8

References

https://www.jenkins.io/security/advisory/2024-06-26/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/06/26/2

Timeline

Vulnerability published
Jun 26, 2024
Vulnerability Reserved
Jun 25, 2024

Collectors

NVD DatabaseMitre Database