Unencrypted Secret File Credentials Stored on Jenkins Controller File System
CVE-2024-39459

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Plain Credentials Plugin
Vendor: CVE Published:; 26 June 2024

What is CVE-2024-39459?

In rare cases Jenkins Plain Credentials Plugin 182.v468b_97b_9dcb_8 and earlier stores secret file credentials unencrypted (only Base64 encoded) on the Jenkins controller file system, where they can be viewed by users with access to the Jenkins controller file system (global credentials) or with Item/Extended Read permission (folder-scoped credentials).

Affected Version(s)

Jenkins Plain Credentials Plugin 0 <= 182.v468b_97b_9dcb_8

References

https://www.jenkins.io/security/advisory/2024-06-26/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2024/06/26/2

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 26, 2024
Vulnerability Reserved
Jun 25, 2024