GitHub Advisory DatabaseGHSA-VP26-4HJ6-JRVXSkytap Cloud CI Plugin stored credentials in plain text
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.7 Medium
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
69.7%
Jenkins Skytap Cloud CI Plugin 2.06 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
Affected configurations
| CPE | Name | Operator | Version |
|---|---|---|---|
| org.jenkins-ci.plugins:skytap | le | 2.06 |
References
www.openwall.com/lists/oss-security/2019/07/31/1
github.com/advisories/GHSA-vp26-4hj6-jrvx
github.com/jenkinsci/skytap-cloud-plugin/commit/167986a84d1d15b525eaf0232b1c1a7c47aef670
jenkins.io/security/advisory/2019-07-31/#SECURITY-1429
nvd.nist.gov/vuln/detail/CVE-2019-10366
www.zerodayinitiative.com/advisories/ZDI-19-833/
Related
4 Medium
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
6.5 Medium
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
6.7 Medium
AI Score
Confidence
High
0.003 Low
EPSS
Percentile
69.7%