CVE-2019-10414
First published: Wed Sep 25 2019(Updated: )
Git Changelog Plugin stored MediaWiki and Jira passwords unencrypted in job `config.xml` files on the Jenkins controller. These passwords could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. Git Changelog Plugin now stores these passwords encrypted. Existing jobs need to have their configuration saved for existing plain text passwords to be overwritten.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Git Changelog | <=2.17 | |
| maven/de.wellnerbou.jenkins:git-changelog | <2.18 | 2.18 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://www.openwall.com/lists/oss-security/2019/09/25/3
- https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1574
- https://nvd.nist.gov/vuln/detail/CVE-2019-10414
- https://github.com/jenkinsci/git-changelog-plugin/commit/356243aa6d3f6ad60f057e7567a3466910618441
- https://github.com/advisories/GHSA-h27g-72mh-9m33 (Advisory)
- collector/nvd-index
- collector/nvd-api
- collector/github-advisory-latest
- alias/GHSA-h27g-72mh-9m33
- alias/CVE-2019-10414
- collector/nvd-cve
- collector/github-advisory
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/description
- agent/type
- agent/event
- agent/first-publish-date
- agent/softwarecombine
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/jenkins
- canonical/jenkins git changelog
- version/jenkins git changelog/2.17
- package-manager/maven