Main Vulnerability Database Vulnerabilities #VU56231

Cleartext storage of sensitive information in Nomad - CVE-2021-21681

Published: September 1, 2021

Vulnerability identifier: #VU56231

CSH Severity: Low

CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2021-21681

CWE-ID: CWE-312

Exploitation vector: Local access

Exploit availability: No public exploit available

Vulnerable software:
Nomad

Software vendor:
Jenkins

Description

The vulnerability allows a local user to gain access to potentially sensitive information.

The vulnerability exists due to the affected plugin stores the passwords to authenticate against the Docker registry unencrypted in the global "config.xml" file on the Jenkins controller as part of its worker templates configuration. A local user can gain unauthorized access to sensitive information on the system.

Remediation

Install updates from vendor's website.

External links

https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2396
http://www.openwall.com/lists/oss-security/2021/08/31/1

Cleartext storage of sensitive information in Nomad - CVE-2021-21681

Description

Remediation

External links

Please verify you're human