CVE-2019-10447
First published: Wed Oct 16 2019(Updated: )
Jenkins Sofy.AI Plugin stores an API token unencrypted in job config.xml files on the Jenkins controller. This token can be viewed by users with Extended Read permission or access to the Jenkins controller file system. As of publication of this advisory there is no fix.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| maven/io.jenkins.plugins:sofy-ai | <=1.0.3 | |
| Jenkins | <=1.0.3 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
Frequently Asked Questions
What is the severity of CVE-2019-10447?
CVE-2019-10447 is considered a medium severity vulnerability due to the exposure of unencrypted API tokens.
How do I fix CVE-2019-10447?
As of now, there is no fix available for CVE-2019-10447.
Which versions of Jenkins are affected by CVE-2019-10447?
CVE-2019-10447 affects Jenkins Sofy.AI Plugin versions up to and including 1.0.3.
What impact does CVE-2019-10447 have on Jenkins users?
CVE-2019-10447 allows users with Extended Read permission or file system access to view stored unencrypted API tokens.
Is there a workaround for CVE-2019-10447?
Currently, there are no recommended workarounds for CVE-2019-10447.
- collector/github-advisory-latest
- alias/GHSA-757g-m98v-6r49
- alias/CVE-2019-10447
- collector/github-advisory
- agent/weakness
- agent/references
- agent/type
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- agent/author
- agent/severity
- agent/last-modified-date
- agent/first-publish-date
- agent/description
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-cve
- agent/software-canonical-lookup-request
- collector/nvd-api
- collector/nvd-index
- package-manager/maven
- vendor/jenkins
- canonical/jenkins
- version/jenkins/1.0.3