CVE-2019-10318 – org.jenkins-ci.plugins:azure-ad

Package

Manager: maven
Name: org.jenkins-ci.plugins:azure-ad
Vulnerable Version: >=0 <0.3.4

Severity

Level: Low

CVSS v3.1: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.0008 pctl0.24411

Details

Jenkins Azure AD Plugin stored the client secret unencrypted Jenkins Azure AD Plugin stored the client secret unencrypted in the global config.xml configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. Azure AD Plugin now stores the client secret encrypted.

Metadata

Created: 2022-05-24T16:44:56Z
Modified: 2023-10-26T21:54:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jcwj-j574-8j2c/GHSA-jcwj-j574-8j2c.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-jcwj-j574-8j2c
Finding: F035
Auto approve: 1