Ecosyste.ms: Advisories

Security Advisories: GSA_kwCzR0hTQS1oaGhoLTY5cXAtNXAyds4AAiYx

Jenkins Fortify on Demand Plugin stores credentials in plain text

Jenkins Fortify on Demand Plugin stores credentials unencrypted in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Permalink: https://github.com/advisories/GHSA-hhhh-69qp-5p2v
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1oaGhoLTY5cXAtNXAyds4AAiYx
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: over 2 years ago
Updated: about 1 year ago

CVSS Score: 4.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

EPSS Percentage: 0.00104
EPSS Percentile: 0.43521

Identifiers: GHSA-hhhh-69qp-5p2v, CVE-2019-10449
References:

• https://nvd.nist.gov/vuln/detail/CVE-2019-10449
• https://jenkins.io/security/advisory/2019-10-16/#SECURITY-1433
• https://github.com/jenkinsci/fortify-on-demand-uploader-plugin/commit/83b23662dc0ce9486b904e282bd8047496730819
• https://github.com/jenkinsci/fortify-on-demand-uploader-plugin/commit/277642040362bcc64df163bfc1ab48f7763c2853
• https://github.com/advisories/GHSA-hhhh-69qp-5p2v

Repository: https://github.com/jenkinsci/fortify-on-demand-uploader-plugin
Blast Radius: 1.0

Affected Packages