#VU23674 Cleartext storage of sensitive information in Rundeck - CVE-2019-16556
Published: December 18, 2019
Vulnerability identifier: #VU23674
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2019-16556
CWE-ID: CWE-312
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Rundeck
Rundeck
Software vendor:
Jenkins
Jenkins
Description
The vulnerability allows a remote user to view the password on the target system.
The vulnerability exists due to the affected software stores credentials as part of its global configuration file "org.jenkinsci.plugins.rundeck.RundeckNotifier.xml" and job "config.xml" files on the Jenkins master. A remote user with Extended Read permission or access to the master file system can obtain credentials.
The vulnerability exists due to the affected software stores credentials as part of its global configuration file "org.jenkinsci.plugins.rundeck.RundeckNotifier.xml" and job "config.xml" files on the Jenkins master. A remote user with Extended Read permission or access to the master file system can obtain credentials.
Remediation
Install updates from vendor's website.