CVE-2019-10412
First published: Wed Sep 25 2019(Updated: )
Inedo ProGet Plugin Plugin stores a service password in its global Jenkins configuration. While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form. This could result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations. Inedo ProGet Plugin Plugin now encrypts the password transmitted to administrators viewing the global configuration form.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Inedo Proget | <=1.2 | |
| maven/com.inedo.proget:inedo-proget | <1.3 | 1.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2019/09/25/3
- https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1514
- https://nvd.nist.gov/vuln/detail/CVE-2019-10412
- https://github.com/jenkinsci/inedo-proget-plugin/commit/9634846c65f204c2b54237674b2cecf66d5d5fdb
- https://github.com/advisories/GHSA-f6g8-pxvp-9328 (Advisory)
- collector/nvd-index
- collector/nvd-api
- collector/github-advisory-latest
- alias/GHSA-f6g8-pxvp-9328
- alias/CVE-2019-10412
- collector/nvd-cve
- collector/github-advisory
- agent/severity
- agent/author
- agent/weakness
- agent/references
- agent/type
- agent/event
- agent/description
- agent/softwarecombine
- agent/last-modified-date
- agent/tags
- agent/first-publish-date
- collector/mitre-cve
- source/MITRE
- vendor/jenkins
- canonical/jenkins inedo proget
- version/jenkins inedo proget/1.2
- package-manager/maven