github - ghsa-qh3m-c6hw-5hmv

ghsa-qh3m-c6hw-5hmv

Vulnerability from github

Published

2022-05-24 17:03

Modified

2024-01-30 21:14

Severity

6.5 (Medium) - CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Summary

Jenkins Rundeck Plugin stored credentials in plain text

Details

Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 3.6.5"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:rundeck"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.6.6"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-16556"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T21:14:01Z",
    "nvd_published_at": "2019-12-17T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.",
  "id": "GHSA-qh3m-c6hw-5hmv",
  "modified": "2024-01-30T21:14:01Z",
  "published": "2022-05-24T17:03:47Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-16556"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1636"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Jenkins Rundeck Plugin stored credentials in plain text "
}

cve-2019-16556

Vulnerability from cvelistv5

Published

2019-12-17 14:40

Modified

2024-08-05 01:17

Severity

Summary

Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

References

URL	Tags
https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1636	x_refsource_CONFIRM
http://www.openwall.com/lists/oss-security/2019/12/17/1	mailing-list, x_refsource_MLIST

Impacted products

Vendor	Product
Jenkins project	Jenkins Rundeck Plugin

Show details on NVD website

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2024-08-05T01:17:41.007Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "tags": [
              "x_refsource_CONFIRM",
              "x_transferred"
            ],
            "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1636"
          },
          {
            "name": "[oss-security] 20191217 Multiple vulnerabilities in Jenkins plugins",
            "tags": [
              "mailing-list",
              "x_refsource_MLIST",
              "x_transferred"
            ],
            "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "product": "Jenkins Rundeck Plugin",
          "vendor": "Jenkins project",
          "versions": [
            {
              "lessThanOrEqual": "3.6.5",
              "status": "affected",
              "version": "unspecified",
              "versionType": "custom"
            }
          ]
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system."
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2023-10-24T16:50:46.924Z",
        "orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
        "shortName": "jenkins"
      },
      "references": [
        {
          "tags": [
            "x_refsource_CONFIRM"
          ],
          "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1636"
        },
        {
          "name": "[oss-security] 20191217 Multiple vulnerabilities in Jenkins plugins",
          "tags": [
            "mailing-list",
            "x_refsource_MLIST"
          ],
          "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1"
        }
      ],
      "x_legacyV4Record": {
        "CVE_data_meta": {
          "ASSIGNER": "jenkinsci-cert@googlegroups.com",
          "ID": "CVE-2019-16556",
          "STATE": "PUBLIC"
        },
        "affects": {
          "vendor": {
            "vendor_data": [
              {
                "product": {
                  "product_data": [
                    {
                      "product_name": "Jenkins Rundeck Plugin",
                      "version": {
                        "version_data": [
                          {
                            "version_affected": "\u003c=",
                            "version_value": "3.6.5"
                          }
                        ]
                      }
                    }
                  ]
                },
                "vendor_name": "Jenkins project"
              }
            ]
          }
        },
        "data_format": "MITRE",
        "data_type": "CVE",
        "data_version": "4.0",
        "description": {
          "description_data": [
            {
              "lang": "eng",
              "value": "Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system."
            }
          ]
        },
        "problemtype": {
          "problemtype_data": [
            {
              "description": [
                {
                  "lang": "eng",
                  "value": "CWE-256: Unprotected Storage of Credentials"
                }
              ]
            }
          ]
        },
        "references": {
          "reference_data": [
            {
              "name": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1636",
              "refsource": "CONFIRM",
              "url": "https://jenkins.io/security/advisory/2019-12-17/#SECURITY-1636"
            },
            {
              "name": "[oss-security] 20191217 Multiple vulnerabilities in Jenkins plugins",
              "refsource": "MLIST",
              "url": "http://www.openwall.com/lists/oss-security/2019/12/17/1"
            }
          ]
        }
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
    "assignerShortName": "jenkins",
    "cveId": "CVE-2019-16556",
    "datePublished": "2019-12-17T14:40:48",
    "dateReserved": "2019-09-20T00:00:00",
    "dateUpdated": "2024-08-05T01:17:41.007Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.1"
}

Log in or create an account to share your comment.

Tags

Taxonomy of the tags.