Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01YzJjLWN2ZzYtZ2hqbc4AApuC
Password stored in plain text by Jenkins Nomad Plugin
Jenkins Nomad Plugin 0.7.4 and earlier stores the passwords to authenticate against the Docker registry unencrypted in the global config.xml file on the Jenkins controller as part of its worker templates configuration.
These passwords can be viewed by users with access to the Jenkins controller file system.
Jenkins Nomad Plugin 0.7.5 stores the Docker passwords encrypted. This change is effective after Jenkins restarts.
Permalink: https://github.com/advisories/GHSA-5c2c-cvg6-ghjmJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01YzJjLWN2ZzYtZ2hqbc4AApuC
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 6 months ago
CVSS Score: 5.5
CVSS vector: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-5c2c-cvg6-ghjm, CVE-2021-21681
References:
- https://nvd.nist.gov/vuln/detail/CVE-2021-21681
- https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2396
- http://www.openwall.com/lists/oss-security/2021/08/31/1
- https://github.com/jenkinsci/nomad-plugin/commit/d45123487d57c0e2a8a6869866b05362f690f511
- https://github.com/advisories/GHSA-5c2c-cvg6-ghjm
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:nomad
Affected Version Ranges: <= 0.7.4Fixed in: 0.7.5