Описание
Password stored in plain text by Jenkins TestComplete support Plugin
Jenkins TestComplete support Plugin prior to version 2.5.2 stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system. Version 2.5.2 contains a patch for this issue.
Ссылки
- https://nvd.nist.gov/vuln/detail/CVE-2020-2209
- https://github.com/jenkinsci/testcomplete-plugin/commit/00988873c6ea7e8d081380e4262538960efd6bf1
- https://github.com/jenkinsci/testcomplete-plugin/commit/91dae11421b70a334d2058286e30402cf2f86d4b
- https://github.com/jenkinsci/testcomplete-plugin/commit/ca783d3b6be28b13f82865afa6a8888795d57d10
- https://jenkins.io/security/advisory/2020-07-02/#SECURITY-1686
- http://www.openwall.com/lists/oss-security/2020/07/02/7
Пакеты
Наименование
org.jenkins-ci.plugins:TestComplete
maven
Затронутые версииВерсия исправления
< 2.5.2
2.5.2
Связанные уязвимости
CVSS3: 4.3
nvd
больше 5 лет назад
Jenkins TestComplete support Plugin 2.4.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.