CVE-2019-10422
First published: Wed Sep 25 2019(Updated: )
Jenkins Call Remote Job Plugin stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Jenkins Call Remote Job | <=1.0.21 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is CVE-2019-10422?
CVE-2019-10422 is a vulnerability in the Jenkins Call Remote Job Plugin that allows credentials to be stored unencrypted in job config.xml files on the Jenkins master, potentially exposing them to unauthorized users.
What is the severity of CVE-2019-10422?
CVE-2019-10422 has a severity of medium with a CVSS score of 6.5.
How does CVE-2019-10422 affect Jenkins?
CVE-2019-10422 affects Jenkins by storing credentials unencrypted in job config.xml files on the Jenkins master.
How can unauthorized users view the credentials in Jenkins?
Unauthorized users can view the credentials in Jenkins if they have Extended Read permission or access to the master file system.
What is the recommended fix for CVE-2019-10422?
To fix CVE-2019-10422, it is recommended to update the Jenkins Call Remote Job Plugin to version 1.0.22 or later, which resolves the vulnerability.
- collector/nvd-index
- collector/nvd-api
- agent/severity
- agent/weakness
- agent/references
- agent/author
- agent/description
- agent/type
- agent/event
- agent/softwarecombine
- agent/first-publish-date
- agent/last-modified-date
- agent/tags
- collector/mitre-cve
- source/MITRE
- vendor/jenkins
- canonical/jenkins call remote job
- version/jenkins call remote job/1.0.21