CVE-2019-10350: Jenkins Port Allocator Cleartext Storage of Credentials Information Disclosure Vulnerability
First published: Thu Jul 11 2019(Updated: )
Jenkins Port Allocator Plugin stores credentials unencrypted in job `config.xml` files on the Jenkins controller. These credentials can be viewed by users with Extended Read permission, or access to the Jenkins controller file system. As of publication of this advisory, there is no fix.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/org.jenkins-ci.plugins:port-allocator | <=1.10 | |
| Jenkins Port Allocator | <=1.8 | |
| Jenkins Port Allocator |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- https://jenkins.io/security/advisory/2019-07-11/
- https://www.zerodayinitiative.com/advisories/ZDI-19-838/
- http://www.openwall.com/lists/oss-security/2019/07/11/4
- http://www.securityfocus.com/bid/109156
- https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1441
- https://nvd.nist.gov/vuln/detail/CVE-2019-10350
- https://github.com/advisories/GHSA-5hhg-q22c-6g39 (Advisory)
- collector/nvd-index
- collector/nvd-api
- collector/github-advisory-latest
- alias/GHSA-5hhg-q22c-6g39
- alias/CVE-2019-10350
- collector/github-advisory
- collector/nvd-cve
- agent/weakness
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/severity
- agent/author
- agent/references
- agent/title
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- collector/zdi-advisory
- source/ZDI
- alias/ZDI-19-838
- alias/ZDI-CAN-8893
- agent/software-canonical-lookup
- agent/tags
- agent/event
- agent/trending
- vendor/jenkins
- canonical/jenkins port allocator
- version/jenkins port allocator/1.8
- package-manager/maven