GHSA-qh3m-c6hw-5hmv

Source

https://github.com/advisories/GHSA-qh3m-c6hw-5hmv

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-qh3m-c6hw-5hmv/GHSA-qh3m-c6hw-5hmv.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-qh3m-c6hw-5hmv

Aliases

CVE-2019-16556

Published

2022-05-24T17:03:47Z

Modified

2024-02-16T08:21:11.954521Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Jenkins Rundeck Plugin stored credentials in plain text

Details

Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Database specific

{
    "nvd_published_at": "2019-12-17T15:15:00Z",
    "cwe_ids": [
        "CWE-522"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T21:14:01Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:rundeck

Package

Name: org.jenkins-ci.plugins:rundeck; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/rundeck

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.6.6

Affected versions

1.*

1.0

1.1

1.2

1.3

1.4

1.5

1.5.1

1.6

1.7

1.8

2.*

2.0

2.0.1

2.1

2.2

2.3

2.3.1

2.4

2.5

2.6

2.7

2.8

2.9

2.10

2.11

3.*

3.0

3.1

3.3

3.4

3.5.1

3.5.4

3.6.1

3.6.2

3.6.3

3.6.4

3.6.5

Database specific

{
    "last_known_affected_version_range": "<= 3.6.5"
}