Jenkins Azure AD Plugin stored the client secret unencrypted

GHSA-jcwj-j574-8j2c · CVE-2019-10318

Published May 24, 2022 · Modified Feb 16, 2024

Description

Jenkins Azure AD Plugin stored the client secret unencrypted in the global config.xml configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system.

Azure AD Plugin now stores the client secret encrypted.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2019-10318
WEB https://github.com/jenkinsci/azure-ad-plugin/commit/70983d1a6528847ccd6e7f124450c578c42d194f
WEB https://jenkins.io/security/advisory/2019-04-30/#SECURITY-1390
WEB https://web.archive.org/web/20200227073756/http://www.securityfocus.com/bid/108159
WEB http://www.openwall.com/lists/oss-security/2019/04/30/5

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes