Main Vulnerability Database Vulnerabilities #VU21126

Cleartext storage of sensitive information in Beaker builder - CVE-2019-10398

Published: September 16, 2019

Vulnerability identifier: #VU21126

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2019-10398

CWE-ID: CWE-312

Exploitation vector: Local access

Exploit availability: No public exploit available

Vendor: Jenkins

Affected software:
Beaker builder

Detailed vulnerability description

The vulnerability allows a local user to view the password on the target system.

The vulnerability exists due to the affected software stores credentials without encryption in its global configuration file on the Jenkins master. A local authenticated user with access to the master file system can obtain credentials.

How to mitigate CVE-2019-10398

Install updates from vendor's website.

Sources

http://www.openwall.com/lists/oss-security/2019/09/12/2
https://jenkins.io/security/advisory/2019-09-12/#SECURITY-1545

Cleartext storage of sensitive information in Beaker builder - CVE-2019-10398

Detailed vulnerability description

How to mitigate CVE-2019-10398

Sources

Please verify you're human