Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tbXF4LWc3OGMtaHZmas33fw
Jenkins AppDynamics Dashboard Plugin has insufficiently protected credentials
Jenkins AppDynamics Dashboard Plugin stored username and password in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This password could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
While masked from view using a password form field, the password was transferred in plain text to users when accessing the job configuration form.
AppDynamics Dashboard Plugin now stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text. Existing jobs need to have their configuration saved for existing plain text passwords to be overwritten.
Permalink: https://github.com/advisories/GHSA-mmqx-g78c-hvfjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tbXF4LWc3OGMtaHZmas33fw
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: almost 2 years ago
Updated: 6 months ago
CVSS Score: 4.3
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-mmqx-g78c-hvfj, CVE-2019-1003039
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-1003039
- https://jenkins.io/security/advisory/2019-03-06/#SECURITY-1087
- https://web.archive.org/web/20200227084009/http://www.securityfocus.com/bid/107476
- https://github.com/advisories/GHSA-mmqx-g78c-hvfj
Affected Packages
maven:org.jenkins-ci.plugins:appdynamics-dashboard
Affected Version Ranges: <= 1.0.14Fixed in: 1.0.15