PT-2019-11718 · Jenkins · Jenkins Aqua Microscanner Plugin+1
Published
2019-04-30
·
Updated
2023-10-25
·
CVE-2019-10316
CVSS v3.1
8.8
High
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
Name of the Vulnerable Software and Affected Versions
Jenkins Aqua MicroScanner Plugin versions 1.0.5 and earlier
Description
The issue concerns the storage of credentials in the Jenkins Aqua MicroScanner Plugin. Specifically, the plugin stored credentials unencrypted in its global configuration file on the Jenkins master or controller. This allowed users with access to the master or controller file system to view these credentials. It is noted that the Aqua MicroScanner Plugin now stores credentials encrypted, implying a fix has been implemented for versions after 1.0.5.
Recommendations
For Jenkins Aqua MicroScanner Plugin versions 1.0.5 and earlier, update to a version that stores credentials encrypted to resolve the issue.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Aqua Microscanner Plugin