GHSA-P9RC-X48F-582X Passwords stored in plain text by ElasTest Plugin

Jenkins ElasTest Plugin 1.2.1 and earlier stores its server password unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system...

Credentials stored in plain text by Jenkins tfs Plugin

tfs Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file hudson.plugins.tfs.TeamPluginGlobalConfig.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system...

GHSA-W6C2-JRHH-JRXG Credentials stored in plain text by Jenkins tfs Plugin

tfs Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file hudson.plugins.tfs.TeamPluginGlobalConfig.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system...

Password stored in plain text by Jenkins HP ALM Quality Center Plugin

HP ALM Quality Center Plugin 1.6 and earlier stores a password in plain text in its global configuration file org.jenkinsci.plugins.qc.QualityCenterIntegrationRecorder.xml. This password can be viewed by users with access to the Jenkins controller file system...

GHSA-5R5F-HCWF-R9JH Secret stored in plain text by Jenkins GitHub Coverage Reporter Plugin

GitHub Coverage Reporter Plugin 1.10 and earlier stores a GitHub access token in plain text in its global configuration file io.jenkins.plugins.gcr.PluginConfiguration.xml. This token can be viewed by users with access to the Jenkins controller file system...

GHSA-9W4V-9C99-HV7R Mattermost Server exposes sensitive information via its System Console UI

An issue was discovered in Mattermost Server before 3.0.0. It potentially allows attackers to obtain sensitive information credential fields within config.json via the System Console UI...

GHSA-M365-98J8-W96W Jenkins Zephyr for JIRA Test Management Plugin stores credentials in plain text

Zephyr for JIRA Test Management Plugin 1.5 and earlier stores Jira credentials unencrypted in its global configuration file com.thed.zephyr.jenkins.reporter.ZfjReporter.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system...

GHSA-XV58-GP43-6M76 Credentials stored in plain text by Zephyr Enterprise Test Management Plugin

Zephyr Enterprise Test Management Plugin 1.9.1 and earlier stores its Zephyr password in plain text in the global configuration file com.thed.zephyr.jenkins.reporter.ZeeReporter.xml. This password can be viewed by users with access to the Jenkins controller file system. Zephyr Enterprise Test...

GHSA-JMP9-F42Q-4G85 Passwords stored in plain text by Harvest SCM Plugin

Harvest SCM Plugin 0.5.1 and earlier stores SCM passwords unencrypted in its global configuration file hudson.plugins.harvest.HarvestSCM.xml and in job config.xml files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission job config.xml only or access ...

Credentials stored in plain text by debian-package-builder Plugin

debian-package-builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system...

GHSA-64JR-GGW8-H9JC Credentials stored in plain text by debian-package-builder Plugin

debian-package-builder Plugin 1.6.11 and earlier stores a GPG passphrase unencrypted in its global configuration file ru.yandex.jenkins.plugins.debuilder.DebianPackageBuilder.xml on the Jenkins controller. This credential can be viewed by users with access to the Jenkins controller file system...

GHSA-5C97-GXR3-R368 Jenkins Weibo Plugin stores credentials unencrypted in its global configuration file

Jenkins Weibo Plugin 1.0.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system...

Jenkins Weibo Plugin stores credentials unencrypted in its global configuration file

Jenkins Weibo Plugin 1.0.1 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system...

Jenkins Rundeck Plugin stored credentials in plain text

Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system...

GHSA-6VC8-3XF2-QRXX Magento 2 Community Edition RCE Vulnerability

In Magento prior to 1.9.4.3, Magento prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, and Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver configuration file...

Magento 2 Community Edition RCE Vulnerability

In Magento prior to 1.9.4.3, Magento prior to 1.14.4.3, Magento 2.2 prior to 2.2.10, and Magento 2.3 prior to 2.3.3 or 2.3.2-p1, an authenticated user with administrative privileges for the import feature can execute arbitrary code through a race condition that allows webserver configuration file...

GHSA-HFJR-M75M-WMH7 Jenkins Zulip Plugin vulnerable to Insufficiently Protected Credentials

Jenkins Zulip Plugin prior to 1.1.1 stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system...

Jenkins Zulip Plugin vulnerable to Insufficiently Protected Credentials

Jenkins Zulip Plugin prior to 1.1.1 stored credentials unencrypted in its global configuration file on the Jenkins master where they could be viewed by users with access to the master file system...

Jenkins Bitbucket OAuth Plugin contains Insufficiently Protected Credentials

Jenkins Bitbucket OAuth Plugin prior to 0.10 stores credentials unencrypted in the global config.xml configuration file on the Jenkins master where they could be viewed by users with access to the master file system...

Jenkins View26 Test-Reporting Plugin stores access token in plain text

Jenkins View26 Test-Reporting Plugin stores an access token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory there is no fix...