SB2019092711 - Multiple vulnerabilities in Violation Comments to GitLab plugin for Jenkins

Description

This security bulletin contains information about 2 secuirty vulnerabilities.

1) Cleartext storage of sensitive information (CVE-ID: CVE-2019-10415)

The vulnerability allows a local user to view the password on the target system.

The vulnerability exists due to the affected software stores API tokens unencrypted in global configuration file "org.jenkinsci.plugins.jvctgl.ViolationsToGitLabGlobalConfiguration.xml" on the Jenkins master. A local authenticated user with Extended Read permission or access to the master file system can obtain credentials.

2) Cleartext storage of sensitive information (CVE-ID: CVE-2019-10416)

The vulnerability allows a local user to view the password on the target system.

The vulnerability exists due to the affected software stores API tokens unencrypted in job "config.xml" files on the Jenkins master. A local authenticated user with Extended Read
permission or access to the master file system can obtain credentials.

Remediation

Install update from vendor's website.

References

• http://www.openwall.com/lists/oss-security/2019/09/25/3
• https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1577