CVE-2019-10318
LOW3.3EPSS 0.07%Jenkins Azure AD Plugin stored the client secret unencrypted
Published: 5/24/2022Modified: 2/16/2024
Description
Jenkins Azure AD Plugin stored the client secret unencrypted in the global config.xml configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. Azure AD Plugin now stores the client secret encrypted.
Affected packages (1)
- Maven/org.jenkins-ci.plugins:azure-adfrom 0, < 0.3.4
CVSS scores
| Source | Version | Severity | Vector |
|---|---|---|---|
| osv | CVSS 3.1 | LOW3.3 | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
References (5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10318
- WEBhttps://github.com/jenkinsci/azure-ad-plugin/commit/70983d1a6528847ccd6e7f124450c578c42d194f
- WEBhttps://jenkins.io/security/advisory/2019-04-30/#SECURITY-1390
- WEBhttps://web.archive.org/web/20200227073756/http://www.securityfocus.com/bid/108159
- WEBhttp://www.openwall.com/lists/oss-security/2019/04/30/5