PT-2017-10817 · Jenkins · Credentials Plugin+2

Jesse Glick

Published

2017-10-04

Updated

2022-05-14

CVE-2017-1000113

CVSS v3.1

5.5

Medium

Vector

AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Deploy to container Plugin (affected versions not specified)

Description The issue concerns the storage of passwords in the Deploy to container Plugin. Previously, passwords were stored unencrypted as part of the plugin's configuration, allowing users with local file system access to the Jenkins master or Extended Read access to the jobs to retrieve these passwords. The plugin now integrates with the Credentials Plugin to securely store passwords and automatically migrates existing passwords.

Recommendations For the Deploy to container Plugin, update the plugin to integrate with the Credentials Plugin to securely store passwords.

Fix

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-200

Related Identifiers

CVE-2017-1000113

GHSA-3Q6P-R6RR-266X

Affected Products

Credentials Plugin

Deploy To Container Plugin

Jenkins

PT-2017-10817 · Jenkins · Credentials Plugin+2

CVE-2017-1000113

Weakness Enumeration

Related Identifiers

Affected Products

References · 4