Jason Stangroome

Name of the Vulnerable Software and Affected Versions: Jenkins Plain Credentials Plugin versions 182.v468b 97b 9dcb 8 and earlier Description: The issue is related to the storage of secret file credentials by the Jenkins Plain Credentials Plugin. In rare cases, the plugin stores these credentials unencrypted, only Base64 encoded, on the Jenkins controller file system. This allows users with access to the Jenkins controller file system or with Item/Extended Read permission to view the credentials. The exploitation of this issue may allow a remote attacker to gain unauthorized access to protected information. Recommendations: For Jenkins Plain Credentials Plugin versions 182.v468b 97b 9dcb 8 and earlier, update to version 183.va de8f1dd5a 2b or later, which no longer attempts to decrypt the content of the file when creating secret file credentials, thus addressing the issue. As a temporary workaround, consider restricting access to the Jenkins controller file system and limiting Item/Extended Read permission to minimize the risk of exploitation.