Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qY3dqLWo1NzQtOGoyY84AAgmI
Jenkins Azure AD Plugin stored the client secret unencrypted
Jenkins Azure AD Plugin stored the client secret unencrypted in the global config.xml configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.
Azure AD Plugin now stores the client secret encrypted.
Permalink: https://github.com/advisories/GHSA-jcwj-j574-8j2cJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qY3dqLWo1NzQtOGoyY84AAgmI
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: almost 2 years ago
Updated: 5 months ago
CVSS Score: 3.3
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-jcwj-j574-8j2c, CVE-2019-10318
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10318
- https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1390
- http://www.openwall.com/lists/oss-security/2019/04/30/5
- https://web.archive.org/web/20200227073756/http://www.securityfocus.com/bid/108159
- https://github.com/jenkinsci/azure-ad-plugin/commit/70983d1a6528847ccd6e7f124450c578c42d194f
- https://github.com/advisories/GHSA-jcwj-j574-8j2c
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:azure-ad
Affected Version Ranges: <= 0.3.3Fixed in: 0.3.4