CVE-2019-10379
First published: Wed Aug 07 2019(Updated: )
Jenkins Google Cloud Messaging Notification Plugin 1.0 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Google Cloud Messaging Notification | <=1.0 | |
| maven/org.jenkins-ci.plugins:gcm-notification | <=1.0 | |
| <=1.0 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the vulnerability ID of this issue?
The vulnerability ID of this issue is CVE-2019-10379.
What is the affected software?
The affected software is the Jenkins Google Cloud Messaging Notification Plugin version 1.0 and earlier.
Where are the credentials stored and how are they encrypted?
The credentials are stored unencrypted in the global configuration file on the Jenkins master.
Who can view the credentials?
Users with access to the Jenkins master file system can view the credentials.
What is the severity of this vulnerability?
The severity of this vulnerability is medium with a CVSS score of 6.5.
- collector/nvd-index
- collector/nvd-api
- agent/weakness
- collector/github-advisory-latest
- source/GitHub
- alias/GHSA-c3r5-vxj6-62mc
- alias/CVE-2019-10379
- agent/software-canonical-lookup
- agent/references
- agent/severity
- agent/last-modified-date
- agent/description
- agent/first-publish-date
- agent/type
- agent/author
- agent/softwarecombine
- agent/tags
- agent/event
- collector/nvd-cve
- source/NVD
- collector/github-advisory
- vendor/google
- canonical/google cloud messaging notification
- version/google cloud messaging notification/1.0
- package-manager/maven