CVE-2019-1003048 — Jenkins PRQA Plugin stored password in plain text

Description

Jenkins PRQA Plugin stored a password unencrypted in its global configuration file on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. The plugin now stores the password encrypted in the configuration files on disk.

How to fix CVE-2019-1003048

To remediate CVE-2019-1003048, upgrade the affected package to a fixed version below.

—upgrade to 3.1.2 or later

Is CVE-2019-1003048 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 3.1.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.3	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-1003048
WEBjenkins.io/security/advisory/2019-03-25/#SECURITY-1089
WEBweb.archive.org/web/20200227082607/http://www.securityfocus.com/bid/107628
WEBwww.openwall.com/lists/oss-security/2019/03/28/2