GitHub Advisory DatabaseGHSA-VP26-4HJ6-JRVXSkytap Cloud CI Plugin stored credentials in plain text
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
72.5%
Jenkins Skytap Cloud CI Plugin 2.06 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| org.jenkins | ci.plugins\ | skytap | cpe:2.3:a:org.jenkins:ci.plugins\:skytap:*:*:*:*:*:*:*:* |
References
www.openwall.com/lists/oss-security/2019/07/31/1
github.com/advisories/GHSA-vp26-4hj6-jrvx
github.com/jenkinsci/skytap-cloud-plugin/commit/167986a84d1d15b525eaf0232b1c1a7c47aef670
jenkins.io/security/advisory/2019-07-31/#SECURITY-1429
nvd.nist.gov/vuln/detail/CVE-2019-10366
www.zerodayinitiative.com/advisories/ZDI-19-833/
Related
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
SINGLE
Confidentiality Impact
PARTIAL
Integrity Impact
NONE
Availability Impact
NONE
AV:N/AC:L/Au:S/C:P/I:N/A:N
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
AI Score
Confidence
High
EPSS
Percentile
72.5%