Lucene search

GoogleOSV:GHSA-RXPH-CQ38-GM3G

HistoryMay 24, 2022 - 5:03 p.m.

Jenkins SCTMExecutor Plugin stores credentials in plain text

2022-05-2417:03:48

Google

osv.dev

jenkins

sctmexecutor

plugin

credentials

plain text

global configuration

individual jobs

software

AI Score

6.8

Confidence

High

EPSS

0.001

Percentile

38.7%

JSON

Jenkins SCTMExecutor Plugin 2.2 and earlier transmits previously configured service credentials in plain text as part of the global configuration, as well as individual jobs’ configurations.

References

www.openwall.com/lists/oss-security/2019/12/17/1

github.com/jenkins-infra/update-center2/pull/324

jenkins.io/security/advisory/2019-12-17/#SECURITY-1521

nvd.nist.gov/vuln/detail/CVE-2019-16568