ghsa-q736-rgcp-q443
Vulnerability from github
Published
2022-05-24 16:50
Modified
2023-10-26 22:48
Severity
Summary
Jenkins Gogs Plugin stored credentials in plain text
Details
Jenkins Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.
Gogs Plugin now stores credentials encrypted.
{
"affected": [
{
"database_specific": {
"last_known_affected_version_range": "\u003c= 1.0.14"
},
"package": {
"ecosystem": "Maven",
"name": "org.jenkins-ci.plugins:gogs-webhook"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "1.0.15"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2019-10348"
],
"database_specific": {
"cwe_ids": [
"CWE-312"
],
"github_reviewed": true,
"github_reviewed_at": "2023-10-26T22:48:25Z",
"nvd_published_at": "2019-07-11T14:15:00Z",
"severity": "MODERATE"
},
"details": "Jenkins Gogs Plugin stored credentials unencrypted in job `config.xml` files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.\n\nGogs Plugin now stores credentials encrypted.",
"id": "GHSA-q736-rgcp-q443",
"modified": "2023-10-26T22:48:25Z",
"published": "2022-05-24T16:50:04Z",
"references": [
{
"type": "ADVISORY",
"url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10348"
},
{
"type": "WEB",
"url": "https://github.com/jenkinsci/gogs-webhook-plugin/commit/34de11fe0822864c4c340b395dadebca8cb11844"
},
{
"type": "WEB",
"url": "https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1438"
},
{
"type": "WEB",
"url": "http://www.openwall.com/lists/oss-security/2019/07/11/4"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
"type": "CVSS_V3"
}
],
"summary": "Jenkins Gogs Plugin stored credentials in plain text"
}
Loading...