CVE-2019-10443

HIGH8.8EPSS 0.11%

Jenkins iceScrum Plugin stores credentials in Cleartext

Published: 5/24/2022Modified: 2/17/2024

Description

Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

Affected packages (1)

Maven/org.jenkins-ci.plugins:icescrumfrom 0, < 1.1.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10443
PATCHhttps://github.com/jenkinsci/icescrum-plugin
WEBhttps://jenkins.io/security/advisory/2019-10-16/#SECURITY-1436
WEBhttps://www.zerodayinitiative.com/advisories/ZDI-19-933
WEBhttp://www.openwall.com/lists/oss-security/2019/10/16/6