CVE-2019-10378 – org.jenkins-ci.plugins:testlink

Package

Manager: maven
Name: org.jenkins-ci.plugins:testlink
Vulnerable Version: >=0 <=3.16

Severity

Level: Low

CVSS v3.1: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00016 pctl0.02446

Details

Jenkins TestLink Plugin stores credentials in plain text Jenkins TestLink Plugin stores credentials unencrypted in its global configuration file hudson.plugins.testlink.TestLinkBuilder.xml on the Jenkins controller. These credentials can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix.

Metadata

Created: 2022-05-24T16:52:46Z
Modified: 2023-10-26T22:50:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qcfr-65hf-f98x/GHSA-qcfr-65hf-f98x.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-qcfr-65hf-f98x
Finding: F035
Auto approve: 1