#VU22920 Cleartext storage of sensitive information in Anchore Container Image Scanner - CVE-2019-16542
Published: November 22, 2019
Vulnerability identifier: #VU22920
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-16542
CWE-ID: CWE-312
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Anchore Container Image Scanner
Anchore Container Image Scanner
Software vendor:
Jenkins
Jenkins
Description
The vulnerability allows a remote user to view the password on the target system.
The vulnerability exists due to the affected software stored an Anchore.io service password unencrypted in job "config.xml" files as part of its configuration. A remote user with Extended Read permission or access to the master file system can obtain this credential.
The vulnerability exists due to the affected software stored an Anchore.io service password unencrypted in job "config.xml" files as part of its configuration. A remote user with Extended Read permission or access to the master file system can obtain this credential.
Remediation
Install updates from vendor's website.