CVE-2019-10294
First published: Thu Apr 04 2019(Updated: )
Jenkins Kmap Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Kmap | ||
| maven/org.jenkins-ci.plugins:kmap-jenkins | =1.6 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2019-10294?
CVE-2019-10294 is classified as a medium severity vulnerability.
How do I fix CVE-2019-10294?
To fix CVE-2019-10294, upgrade the Jenkins Kmap Plugin to version 1.7 or later.
What are the consequences of CVE-2019-10294?
The consequences of CVE-2019-10294 include exposing sensitive credentials to users with Extended Read permission.
Which versions of the Kmap Plugin are affected by CVE-2019-10294?
All versions of the Jenkins Kmap Plugin prior to 1.7 are affected by CVE-2019-10294.
Who should be concerned about CVE-2019-10294?
Jenkins administrators and users with access to the Jenkins master should be concerned about CVE-2019-10294 due to potential credential exposure.
- collector/nvd-index
- collector/nvd-api
- agent/weakness
- agent/type
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-746x-xxrx-23jp
- alias/CVE-2019-10294
- agent/software-canonical-lookup
- agent/severity
- agent/references
- agent/description
- agent/softwarecombine
- collector/nvd-cve
- source/NVD
- agent/author
- collector/github-advisory
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/first-publish-date
- agent/event
- agent/trending
- agent/tags
- agent/source
- vendor/jenkins
- canonical/jenkins kmap
- package-manager/maven