Cleartext storage of sensitive information in Rundeck - CVE-2019-16556
Published: December 18, 2019
Vulnerability identifier: #VU23674
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-16556
CWE-ID: CWE-312
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Jenkins
Affected software:
Rundeck
Rundeck
Detailed vulnerability description
The vulnerability allows a remote user to view the password on the target system.
The vulnerability exists due to the affected software stores credentials as part of its global configuration file "org.jenkinsci.plugins.rundeck.RundeckNotifier.xml" and job "config.xml" files on the Jenkins master. A remote user with Extended Read permission or access to the master file system can obtain credentials.
The vulnerability exists due to the affected software stores credentials as part of its global configuration file "org.jenkinsci.plugins.rundeck.RundeckNotifier.xml" and job "config.xml" files on the Jenkins master. A remote user with Extended Read permission or access to the master file system can obtain credentials.
How to mitigate CVE-2019-16556
Install updates from vendor's website.