Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1jdmg4LTlqNHgtNXY0as38cQ

Jenkins Artifactory Plugin stored old directly entered credentials unencrypted on disk

An insufficiently protected credentials vulnerability exists in Jenkins Artifactory Plugin 2.16.1 and earlier in ArtifactoryBuilder.java, CredentialsConfig.java that allows attackers with local file system access to obtain old credentials configured for the plugin before it integrated with Credentials Plugin.

Permalink: https://github.com/advisories/GHSA-cvh8-9j4x-5v4j
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jdmg4LTlqNHgtNXY0as38cQ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: High
Classification: General
Published: almost 2 years ago
Updated: 3 months ago

CVSS Score: 7.8
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Identifiers: GHSA-cvh8-9j4x-5v4j, CVE-2018-1000424
References:

• https://nvd.nist.gov/vuln/detail/CVE-2018-1000424
• https://jenkins.io/security/advisory/2018-09-25/#SECURITY-265
• http://www.securityfocus.com/bid/106532
• https://github.com/advisories/GHSA-cvh8-9j4x-5v4j

Blast Radius: 1.0

Affected Packages