CVE-2019-10416

MEDIUM4.3EPSS 0.05%

Violation Comments to GitLab Plugin has Insufficiently Protected Credentials

發布日:2022/5/24修改日:2024/2/16

描述

Violation Comments to GitLab Plugin stored API tokens unencrypted in job `config.xml` files and its global configuration file `org.jenkinsci.plugins.jvctgl.ViolationsToGitLabGlobalConfiguration.xml` on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. Violation Comments to GitLab Plugin now stores these credentials encrypted. Existing jobs need to have their configuration saved for existing plain text credentials to be overwritten.

受影響套件(1)

Maven/org.jenkins-ci.plugins:violation-comments-to-gitlabfrom 0, < 2.29

CVSS 分數

來源	版本	嚴重程度	向量
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

參考連結(4)

ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2019-10416
WEBhttps://github.com/jenkinsci/violation-comments-to-gitlab-plugin/commit/e8237a803012bae7773d8bd10fe02e21892be3fe
WEBhttps://jenkins.io/security/advisory/2019-09-25/#SECURITY-1577
WEBhttp://www.openwall.com/lists/oss-security/2019/09/25/3