CVE-2019-10415

MEDIUM4.3EPSS 0.05%

Jenkins Violation Comments to GitLab Plugin has Insufficiently Protected Credentials

Published: 5/24/2022Modified: 2/16/2024

Description

Violation Comments to GitLab Plugin stored API tokens unencrypted in job `config.xml` files and its global configuration file `org.jenkinsci.plugins.jvctgl.ViolationsToGitLabGlobalConfiguration.xml` on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. Violation Comments to GitLab Plugin now stores these credentials encrypted. Existing jobs need to have their configuration saved for existing plain text credentials to be overwritten.

Affected packages (1)

Maven/org.jenkins-ci.plugins:violation-comments-to-gitlabfrom 0, < 2.29

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10415
WEBhttps://github.com/jenkinsci/violation-comments-to-gitlab-plugin/commit/e8237a803012bae7773d8bd10fe02e21892be3fe
WEBhttps://jenkins.io/security/advisory/2019-09-25/#SECURITY-1577
WEBhttp://www.openwall.com/lists/oss-security/2019/09/25/3