CVE-2019-10303 — Jenkins Azure PublisherSettings Credentials Plugin stored credentials in plain t

Description

Jenkins Azure PublisherSettings Credentials Plugin stored the service management certificate unencrypted in credentials.xml on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. Azure PublisherSettings Credentials Plugin has been deprecated. Azure PublisherSettings Credentials Plugin 1.5 no longer provides any user features and we recommend the plugin be uninstalled.

How to fix CVE-2019-10303

To remediate CVE-2019-10303, upgrade the affected package to a fixed version below.

—upgrade to 1.5 or later

Is CVE-2019-10303 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.3	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10303
WEBjenkins.io/security/advisory/2019-04-17/#SECURITY-844
WEBweb.archive.org/web/20200227075952/http://www.securityfocus.com/bid/108045