PT-2019-11758 · Jenkins · Jenkins Configuration As Code Plugin+1
Wadeck Follonier
·
Published
2019-07-31
·
Updated
2023-10-25
·
CVE-2019-10362
CVSS v2.0
5.5
Medium
| Vector | AV:N/AC:L/Au:S/C:P/I:P/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Configuration as Code Plugin versions 1.24 and earlier
Description
The issue allows attackers with permission to change Jenkins system configuration to obtain the values of environment variables due to variable interpolation during configuration import when exporting. This occurs because values are not properly escaped, resulting in the exposure of sensitive information.
Recommendations
For Jenkins Configuration as Code Plugin versions 1.24 and earlier, update to a version later than 1.24 to resolve the issue.
Fix
Improper Encoding or Escaping of Output
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Configuration As Code Plugin