PT-2019-11792 · Jenkins · Jenkins Beaker Builder Plugin+1
James Holderness
·
Published
2019-09-12
·
Updated
2023-10-25
·
CVE-2019-10398
CVSS v3.1
3.3
Low
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Beaker Builder Plugin versions 1.9 and earlier
Description
The issue concerns the storage of credentials in the Jenkins Beaker Builder Plugin. Specifically, the plugin stored credentials unencrypted in its global configuration file on the Jenkins master, allowing users with access to the master file system to view them. This includes the Beaker password, which was stored in plain text on the Jenkins controller and could be accessed by users with file system access to the controller.
Recommendations
For Jenkins Beaker Builder Plugin versions 1.9 and earlier, update the plugin to a version that stores credentials encrypted, as the updated Beaker builder Plugin now stores these credentials securely.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Beaker Builder Plugin