CVE-2019-10414 – de.wellnerbou.jenkins:git-changelog

Package

Manager: maven
Name: de.wellnerbou.jenkins:git-changelog
Vulnerable Version: >=0 <2.18

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00065 pctl0.20575

Details

Jenkins Git Changelog Plugin has Insufficiently Protected Credentials Git Changelog Plugin stored MediaWiki and Jira passwords unencrypted in job `config.xml` files on the Jenkins controller. These passwords could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. Git Changelog Plugin now stores these passwords encrypted. Existing jobs need to have their configuration saved for existing plain text passwords to be overwritten.

Metadata

Created: 2022-05-24T16:56:46Z
Modified: 2023-02-23T20:32:21Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h27g-72mh-9m33/GHSA-h27g-72mh-9m33.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-h27g-72mh-9m33
Finding: F035
Auto approve: 1