CVE-2019-1003038

Опубликовано: 08 мар. 2019

Источник: nvd

CVSS3: 7.8

CVSS2: 2.1

EPSS Низкий

Описание

An insufficiently protected credentials vulnerability exists in Jenkins Repository Connector Plugin 1.2.4 and earlier in src/main/java/org/jvnet/hudson/plugins/repositoryconnector/ArtifactDeployer.java, src/main/java/org/jvnet/hudson/plugins/repositoryconnector/Repository.java, src/main/java/org/jvnet/hudson/plugins/repositoryconnector/UserPwd.java that allows an attacker with local file system access or control of a Jenkins administrator's web browser (e.g. malicious extension) to retrieve the password stored in the plugin configuration.

Ссылки

http://www.securityfocus.com/bid/107476
Third Party Advisory
VDB Entry
https://jenkins.io/security/advisory/2019-03-06/#SECURITY-958
Vendor Advisory
http://www.securityfocus.com/bid/107476
Third Party Advisory
VDB Entry
https://jenkins.io/security/advisory/2019-03-06/#SECURITY-958
Vendor Advisory

Уязвимые конфигурации

Конфигурация 1

cpe:2.3:a:jenkins:repository_connector:*:*:*:*:*:jenkins:*:*

Версия до 1.2.4 (включая)

EPSS

Процентиль: 1%

0.00011

Низкий

7.8 High

CVSS3

2.1 Low

CVSS2

Дефекты

CWE-522

Связанные уязвимости

GHSA-99jc-v8pq-6qm4

CVSS3: 3.3

github

больше 3 лет назад

Jenkins Repository Connector Plugin has insufficiently protected credentials