2.1 Low
CVSS2
Attack Vector
LOCAL
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:L/AC:L/Au:N/C:P/I:N/A:N
0.0004 Low
EPSS
Percentile
5.1%
The Subversion plugin before 1.54 for Jenkins stores credentials using
base64 encoding, which allows local users to obtain passwords and SSH
private keys by reading a subversion.credentials file.
Author | Note |
---|---|
seth-arnold | We don’t ship this module; I further suspect the fix is just further obfuscation, as I didn’t see any user-supplied keys or passphrases to decode the stored data. |
bugzilla.redhat.com/show_bug.cgi?id=1032391
github.com/jenkinsci/subversion-plugin/commit/7d4562d6f7e40de04bbe29577b51c79f07d05ba6
launchpad.net/bugs/cve/CVE-2013-6372
nvd.nist.gov/vuln/detail/CVE-2013-6372
security-tracker.debian.org/tracker/CVE-2013-6372
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-11-20
www.cve.org/CVERecord?id=CVE-2013-6372