GHSA-5c2c-cvg6-ghjm
Suggest an improvement- Source
- https://github.com/advisories/GHSA-5c2c-cvg6-ghjm
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-5c2c-cvg6-ghjm/GHSA-5c2c-cvg6-ghjm.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-5c2c-cvg6-ghjm
- Aliases
- Published
- 2022-05-24T19:12:36Z
- Modified
- 2024-02-16T08:10:21.552304Z
- Severity
-
- 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Password stored in plain text by Jenkins Nomad Plugin
- Details
-
Jenkins Nomad Plugin 0.7.4 and earlier stores the passwords to authenticate against the Docker registry unencrypted in the global
config.xmlfile on the Jenkins controller as part of its worker templates configuration.These passwords can be viewed by users with access to the Jenkins controller file system.
Jenkins Nomad Plugin 0.7.5 stores the Docker passwords encrypted. This change is effective after Jenkins restarts.
- Database specific
{ "nvd_published_at": "2021-08-31T14:15:00Z", "cwe_ids": [ "CWE-256", "CWE-522" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2022-12-16T15:47:12Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2021-21681
- https://github.com/jenkinsci/nomad-plugin/commit/d45123487d57c0e2a8a6869866b05362f690f511
- https://github.com/jenkinsci/nomad-plugin
- https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2396
- http://www.openwall.com/lists/oss-security/2021/08/31/1
Affected packages
Maven / org.jenkins-ci.plugins:nomad
Package
- Name
- org.jenkins-ci.plugins:nomad
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/nomad
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed0.7.5