CVE-2021-21681
MEDIUM5.5EPSS 0.01%Password stored in plain text by Jenkins Nomad Plugin
發布日:2022/5/24修改日:2024/2/16
描述
Jenkins Nomad Plugin 0.7.4 and earlier stores the passwords to authenticate against the Docker registry unencrypted in the global `config.xml` file on the Jenkins controller as part of its worker templates configuration. These passwords can be viewed by users with access to the Jenkins controller file system. Jenkins Nomad Plugin 0.7.5 stores the Docker passwords encrypted. This change is effective after Jenkins restarts.
受影響套件(1)
- Maven/org.jenkins-ci.plugins:nomadfrom 0, < 0.7.5
CVSS 分數
| 來源 | 版本 | 嚴重程度 | 向量 |
|---|---|---|---|
| osv | CVSS 3.1 | MEDIUM5.5 | CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
參考連結(5)
- ADVISORYhttps://nvd.nist.gov/vuln/detail/CVE-2021-21681
- PATCHhttps://github.com/jenkinsci/nomad-plugin
- WEBhttps://github.com/jenkinsci/nomad-plugin/commit/d45123487d57c0e2a8a6869866b05362f690f511
- WEBhttps://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2396
- WEBhttp://www.openwall.com/lists/oss-security/2021/08/31/1