Cleartext transmission of sensitive information in SCTMExecutor plugin for Jenkins



Published: 2019-12-19
Risk Low
Patch available NO
Number of vulnerabilities 1
CVE-ID CVE-2019-16568
CWE-ID CWE-319
Exploitation vector Network
Public exploit N/A
Vulnerable software
Subscribe 		SCTMExecutor
Web applications / Modules and components for CMS

Vendor Jenkins

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Cleartext transmission of sensitive information

EUVDB-ID: #VU23695

Risk: Low

CVSSv3.1: 2.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:U/RC:C]

CVE-ID: CVE-2019-16568

CWE-ID: CWE-319 - Cleartext Transmission of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to sensitive information.

The vulnerability exists due to the affected software transmits previously configured service credentials in plain text as part of the global configuration, as well as individual jobs' configurations. A remote attacker with ability to intercept network traffic can gain access to sensitive data.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

SCTMExecutor: 0.1 - 2.2

External links

http://jenkins.io/security/advisory/2019-12-17/#SECURITY-1521


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###