Cleartext storage of sensitive information in Nomad - CVE-2021-21681

 

Cleartext storage of sensitive information in Nomad - CVE-2021-21681

Published: September 1, 2021


Vulnerability identifier: #VU56231
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2021-21681
CWE-ID: CWE-312
Exploitation vector: Local access
Exploit availability: No public exploit available
Vendor: Jenkins
Affected software:
Nomad

Detailed vulnerability description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to the affected plugin stores the passwords to authenticate against the Docker registry unencrypted in the global "config.xml" file on the Jenkins controller as part of its worker templates configuration. A local user can gain unauthorized access to sensitive information on the system.


How to mitigate CVE-2021-21681

Install updates from vendor's website.

Sources