First published: Thu Sep 12 2019(Updated: )
Beaker builder Plugin stored the Beaker password unencrypted on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. Beaker builder Plugin now stores these credentials encrypted.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jenkins Beaker Builder | <=1.9 | |
maven/org.jenkins-ci.plugins:beaker-builder | <1.10 | 1.10 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
CVE-2019-10398 has a medium severity rating due to the exposure of sensitive credentials.
To fix CVE-2019-10398, upgrade the Jenkins Beaker Builder Plugin to version 1.10 or later.
CVE-2019-10398 affects Jenkins Beaker Builder Plugin versions up to and including 1.9.
The risks of CVE-2019-10398 include unauthorized access to sensitive Beaker passwords by users with file system access.
If you are using Jenkins Beaker Builder Plugin version 1.9 or earlier, your system is vulnerable to CVE-2019-10398.