CVE-2019-10348
Jenkins Gogs Cleartext Storage of Credentials Information Disclosure Vulnerability
Severity Score
Exploit Likelihood
Affected Versions
Public Exploits
0Exploited in Wild
-Decision
Descriptions
Jenkins Gogs Plugin stored credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.
El Plugin Gogs de Jenkins, almacenó credenciales sin cifrar en los archivos de trabajo config.xml en el maestro de Jenkins, donde pueden ser visualizadas por los usuarios con permiso de Lectura Extendida o con acceso al sistema de archivos maestro.
This vulnerability allows local attackers to disclose sensitive information on affected installations of Jenkins Gogs. Authentication is required to exploit this vulnerability.
The specific flaw exists within the Gogs plugin. The issue results from storing credentials in plaintext. An attacker can leverage this vulnerability to execute code in the context of the build process.
CVSS Scores
SSVC
- Decision:-
Timeline
- 2019-03-29 CVE Reserved
- 2019-07-11 CVE Published
- 2024-07-04 EPSS Updated
- 2024-08-04 CVE Updated
- ---------- Exploited in Wild
- ---------- KEV Due Date
- ---------- First Exploit
CWE
- CWE-312: Cleartext Storage of Sensitive Information
CAPEC
References (4)
| URL | Tag | Source |
|---|---|---|
| http://www.openwall.com/lists/oss-security/2019/07/11/4 | Mailing List |
|
| http://www.securityfocus.com/bid/109156 | Third Party Advisory | |
| https://www.zerodayinitiative.com/advisories/ZDI-19-837 | Third Party Advisory |
|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|
| URL | Date | SRC |
|---|---|---|
| https://jenkins.io/security/advisory/2019-07-11/#SECURITY-1438 | 2023-10-25 |