CVE-2019-10416 – org.jenkins-ci.plugins:violation-comments-to-gitlab

Package

Manager: maven
Name: org.jenkins-ci.plugins:violation-comments-to-gitlab
Vulnerable Version: >=0 <2.29

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00065 pctl0.20575

Details

Violation Comments to GitLab Plugin has Insufficiently Protected Credentials Violation Comments to GitLab Plugin stored API tokens unencrypted in job `config.xml` files and its global configuration file `org.jenkinsci.plugins.jvctgl.ViolationsToGitLabGlobalConfiguration.xml` on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. Violation Comments to GitLab Plugin now stores these credentials encrypted. Existing jobs need to have their configuration saved for existing plain text credentials to be overwritten.

Metadata

Created: 2022-05-24T16:56:46Z
Modified: 2023-02-23T20:31:42Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3p8r-p4q5-mc44/GHSA-3p8r-p4q5-mc44.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-3p8r-p4q5-mc44
Finding: F035
Auto approve: 1