Cleartext storage of sensitive information in Anchore Container Image Scanner - CVE-2019-16542
Published: November 22, 2019
Vulnerability identifier: #VU22920
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-16542
CWE-ID: CWE-312
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Jenkins
Affected software:
Anchore Container Image Scanner
Anchore Container Image Scanner
Detailed vulnerability description
The vulnerability allows a remote user to view the password on the target system.
The vulnerability exists due to the affected software stored an Anchore.io service password unencrypted in job "config.xml" files as part of its configuration. A remote user with Extended Read permission or access to the master file system can obtain this credential.
The vulnerability exists due to the affected software stored an Anchore.io service password unencrypted in job "config.xml" files as part of its configuration. A remote user with Extended Read permission or access to the master file system can obtain this credential.
How to mitigate CVE-2019-16542
Install updates from vendor's website.