CVE-2021-21681 – org.jenkins-ci.plugins:nomad

Package

Manager: maven
Name: org.jenkins-ci.plugins:nomad
Vulnerable Version: >=0 <0.7.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00023 pctl0.04505

Details

Password stored in plain text by Jenkins Nomad Plugin Jenkins Nomad Plugin 0.7.4 and earlier stores the passwords to authenticate against the Docker registry unencrypted in the global `config.xml` file on the Jenkins controller as part of its worker templates configuration. These passwords can be viewed by users with access to the Jenkins controller file system. Jenkins Nomad Plugin 0.7.5 stores the Docker passwords encrypted. This change is effective after Jenkins restarts.

Metadata

Created: 2022-05-24T19:12:36Z
Modified: 2023-10-27T15:59:40Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5c2c-cvg6-ghjm/GHSA-5c2c-cvg6-ghjm.json
CWE IDs: ["CWE-256", "CWE-522"]
Alternative ID: GHSA-5c2c-cvg6-ghjm
Finding: F020
Auto approve: 1