PT-2019-11338 · Jenkins · Jenkins Rqm Plugin+1
Viktor Gazdag
·
Published
2019-03-28
·
Updated
2023-10-25
·
CVE-2019-1003048
CVSS v3.1
7.8
High
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions:
Jenkins PRQA Plugin versions 3.1.0 and earlier
Description:
A security issue allows attackers with local file system access to the Jenkins home directory to obtain an unencrypted password from the plugin configuration. The plugin stored a password unencrypted in its global configuration file on the Jenkins controller, which could be viewed by users with access to the Jenkins controller file system. The issue has been addressed by storing the password encrypted in the configuration files on disk.
Recommendations:
For Jenkins PRQA Plugin versions 3.1.0 and earlier, update the plugin to a version that stores the password encrypted in the configuration files.
Fix
Missing Encryption of Sensitive Data
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Rqm Plugin