CVE-2019-10413 — Jenkins Data Theorem Mobile Security: CI/CD Plugin has Insufficiently Protected

Description

Data Theorem Mobile Security: CI/CD Plugin stored a proxy password unencrypted in job `config.xml` files on the Jenkins controller. This password could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. Data Theorem Mobile Security: CI/CD Plugin now stores the proxy password encrypted. Existing jobs need to have their configuration saved for existing plain text proxy passwords to be overwritten.

How to fix CVE-2019-10413

To remediate CVE-2019-10413, upgrade the affected package to a fixed version below.

—upgrade to 1.4.0 or later

Is CVE-2019-10413 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.4.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10413
WEBjenkins.io/security/advisory/2019-09-25/#SECURITY-1557
WEBwww.openwall.com/lists/oss-security/2019/09/25/3