PT-2021-14655 · Jenkins · Jenkins Tracetronic Ecu-Test Plugin+1
Long Nguyen
·
Published
2021-01-13
·
Updated
2023-10-25
·
CVE-2021-21612
CVSS v3.1
5.5
Medium
| Vector | AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins TraceTronic ECU-TEST Plugin versions 2.23.1 and earlier
Description
The issue allows credentials to be stored unencrypted in the global configuration file on the Jenkins controller, making them accessible to users with access to the Jenkins controller file system. The configuration file
de.tracetronic.jenkins.plugins.ecutest.report.atx.installation.ATXInstallation.xml stores these credentials as part of its configuration.Recommendations
For Jenkins TraceTronic ECU-TEST Plugin versions 2.23.1 and earlier, update to version 2.24 or later, which adds a new option type for sensitive options and migrates previously stored credentials to this option type on Jenkins startup.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Weakness Enumeration
Related Identifiers
Affected Products
Jenkins
Jenkins Tracetronic Ecu-Test Plugin