PT-2019-14697 · Jenkins · Jenkins Anchore Container Image Scanner Plugin+1
James Holderness
·
Published
2019-11-21
·
Updated
2023-10-25
·
CVE-2019-16542
CVSS v3.1
6.5
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Anchore Container Image Scanner Plugin versions 1.0.19 and earlier
Description
The plugin stores credentials unencrypted in job config.xml files on the Jenkins master, allowing users with Extended Read permission or access to the master file system to view them. The stored credential was a service password for the Anchore.io service. Since the affected functionality has been deprecated and the Anchore.io service was shut down in late 2018, the affected feature has been removed.
Recommendations
For Jenkins Anchore Container Image Scanner Plugin versions 1.0.19 and earlier, consider removing or disabling the affected feature to minimize potential risks, as the functionality has been deprecated and the related service is no longer available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Anchore Container Image Scanner Plugin