GHSA-jcwj-j574-8j2c
Suggest an improvement- Source
- https://github.com/advisories/GHSA-jcwj-j574-8j2c
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jcwj-j574-8j2c/GHSA-jcwj-j574-8j2c.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-jcwj-j574-8j2c
- Aliases
- Published
- 2022-05-24T16:44:56Z
- Modified
- 2024-02-16T08:13:13.061169Z
- Severity
-
- 3.3 (Low) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Jenkins Azure AD Plugin stored the client secret unencrypted
- Details
-
Jenkins Azure AD Plugin stored the client secret unencrypted in the global config.xml configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.
Azure AD Plugin now stores the client secret encrypted.
- Database specific
{ "nvd_published_at": "2019-04-30T13:29:00Z", "cwe_ids": [ "CWE-522" ], "severity": "LOW", "github_reviewed": true, "github_reviewed_at": "2023-10-26T21:54:57Z" }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2019-10318
- https://github.com/jenkinsci/azure-ad-plugin/commit/70983d1a6528847ccd6e7f124450c578c42d194f
- https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1390
- https://web.archive.org/web/20200227073756/http://www.securityfocus.com/bid/108159
- http://www.openwall.com/lists/oss-security/2019/04/30/5
Affected packages
Maven / org.jenkins-ci.plugins:azure-ad
Package
- Name
- org.jenkins-ci.plugins:azure-ad
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/azure-ad