Jenkins iceScrum Plugin stores credentials in Cleartext

2022-05-2416:58:49

Google

osv.dev

jenkins

icescrum plugin

unencrypted credentials

job config.xml

file system

security issue

EPSS

0.008

Percentile

81.8%

JSON

Jenkins iceScrum Plugin 1.1.4 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

References

www.openwall.com/lists/oss-security/2019/10/16/6

github.com/jenkinsci/icescrum-plugin

jenkins.io/security/advisory/2019-10-16/#SECURITY-1436

nvd.nist.gov/vuln/detail/CVE-2019-10443

www.zerodayinitiative.com/advisories/ZDI-19-933

EPSS

0.008

Percentile

81.8%

JSON

Related for OSV:GHSA-362P-56C9-Q273