SB2023012609 - Cleartext storage of sensitive information in Jenkins GitHub Pull Request Coverage Status plugin
Published: January 26, 2023
Breakdown by Severity
- Low
- Medium
- High
- Critical
Description
This security bulletin contains information about 1 vulnerability.
1) Cleartext storage of sensitive information (CVE-ID: CVE-2023-24442)
CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information
CVSSv4: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
The vulnerability allows a local user to gain access to potentially sensitive information.
The vulnerability exists due to the affected plugin stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file com.github.terma.jenkins.githubprcoveragestatus.Configuration.xml. A local user can gain access to these credentials.
Remediation
Cybersecurity Help is not aware of any official remediation provided by the vendor.