CVE-2019-10291

Name of the Vulnerable Software and Affected Versions Jenkins Netsparker Cloud Scan Plugin version 1.1.5 and older Jenkins Netsparker Enterprise Scan Plugin (affected versions not specified)

Description The issue concerns the storage of sensitive information in plain text within configuration files on the Jenkins master or controller. Specifically, the Jenkins Netsparker Cloud Scan Plugin stored credentials unencrypted, while the Jenkins Netsparker Enterprise Scan Plugin stored API tokens unencrypted in its global configuration file com.netsparker.cloud.plugin.NCScanBuilder.xml. These could be accessed by users with file system access to the Jenkins master or controller. The Netsparker Enterprise Scan Plugin has been updated to store API tokens encrypted.

Recommendations For Jenkins Netsparker Cloud Scan Plugin version 1.1.5 and older, update to a version that stores credentials encrypted. For Jenkins Netsparker Enterprise Scan Plugin, ensure you are using the updated version that stores API tokens encrypted. As a temporary workaround, consider restricting access to the com.netsparker.cloud.plugin.NCScanBuilder.xml file to minimize the risk of exploitation.