Описание
Jenkins Azure AD Plugin stored the client secret unencrypted
Jenkins Azure AD Plugin stored the client secret unencrypted in the global config.xml configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.
Azure AD Plugin now stores the client secret encrypted.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2019-10318
- https://github.com/jenkinsci/azure-ad-plugin/commit/70983d1a6528847ccd6e7f124450c578c42d194f
- https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1390
- https://web.archive.org/web/20200227073756/http://www.securityfocus.com/bid/108159
- http://www.openwall.com/lists/oss-security/2019/04/30/5
Пакеты
Наименование
org.jenkins-ci.plugins:azure-ad
maven
Затронутые версииВерсия исправления
<= 0.3.3
0.3.4
Связанные уязвимости
CVSS3: 8.8
nvd
почти 7 лет назад
Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master where it could be viewed by users with access to the master file system.