CVE-2019-16568 — Jenkins SCTMExecutor Plugin stores credentials in plain text

Description

Jenkins SCTMExecutor Plugin 2.2 and earlier transmits previously configured service credentials in plain text as part of the global configuration, as well as individual jobs' configurations.

How to fix CVE-2019-16568

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2019-16568 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 2.2

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM5.3	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-16568
WEBgithub.com/jenkins-infra/update-center2/pull/324
WEBjenkins.io/security/advisory/2019-12-17/#SECURITY-1521
WEBwww.openwall.com/lists/oss-security/2019/12/17/1