Main Vulnerability Database Vulnerabilities #VU21537

Information disclosure in Configuration as Code - CVE-2019-10363

Published: October 4, 2019

Vulnerability identifier: #VU21537

CSH Severity: Medium

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Green

CVE-ID: CVE-2019-10363

CWE-ID: CWE-200

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Jenkins

Affected software:
Configuration as Code

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected software does not reliably detect which values in the exported YAML file need to be considered sensitive and exports secret values in plain text. A remote authenticated attacker can gain unauthorized access to sensitive information on the system.

How to mitigate CVE-2019-10363

Install updates from vendor's website.

Sources

http://www.openwall.com/lists/oss-security/2019/07/31/1
https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1458

Information disclosure in Configuration as Code - CVE-2019-10363

Detailed vulnerability description

How to mitigate CVE-2019-10363

Sources

Please verify you're human