CVE-2019-10467 – org.jenkins-ci.plugins:sonar-gerrit

Package

Manager: maven
Name: org.jenkins-ci.plugins:sonar-gerrit
Vulnerable Version: >=0 <2.4.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00047 pctl0.14135

Details

Jenkins Sonar Gerrit Plugin stores credentials unencrypted Jenkins Sonar Gerrit Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Metadata

Created: 2022-05-24T16:59:37Z
Modified: 2022-12-06T21:43:18Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6fv3-w7j6-5xfc/GHSA-6fv3-w7j6-5xfc.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-6fv3-w7j6-5xfc
Finding: F035
Auto approve: 1