PT-2019-11747 · Jenkins · Jenkins Gogs Plugin+1
David Fiser
·
Published
2019-07-11
·
Updated
2023-10-25
·
CVE-2019-10348
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Gogs Plugin (affected versions not specified)
Description
The issue concerns the storage of credentials in an unencrypted form in job
config.xml files on the Jenkins master or controller. These credentials can be accessed by users with Extended Read permission or those who have access to the master or controller file system. The estimated number of potentially affected devices worldwide is not available. There is no information about real-world incidents where this issue was exploited.Technical details about exploitation include:
- API Endpoints: Not specified
- Vulnerable Parameters or Variables:
config.xmlfiles - Function Names: Not specified
Recommendations
For all affected versions, update the Gogs Plugin to a version that stores credentials encrypted, as the newer version of the Gogs Plugin now stores credentials encrypted.
At the moment, there is no information about specific steps for older versions, but ensuring credentials are stored encrypted is crucial.
Fix
Cleartext Storage of Sensitive Information
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Gogs Plugin