Jenkins HTML Publisher Plugin 1.20 Cleartext Storage of Sensitive Information Vulnerability

Summary

Jenkins Dingding[??] Plugin stores credentials are unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Credit:

The information has been provided by Vendor

The original article can be found at:

https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1423

 


Details

Dingding[钉钉] Plugin stores an access token unencrypted in job config.xml files on the Jenkins master. This token can be viewed by users with Extended Read permission, or access to the master file system.

As of publication of this advisory, there is no fix

Vulnerable Systems:

Jenkins Dingding[钉钉] Plugin

CVE Information:

CVE-2019-10433

Disclosure Timeline:
Published Date:10/09/2019