CVE-2019-10320Insertion of Sensitive Information into Externally-Accessible File or Directory in Jenkins Credentials

CWE-538Insertion of Sensitive Information into Externally-Accessible File or DirectoryCWE-200Sensitive Information ExposureCWE-522Insufficiently Protected Credentials8 documents7 sources
Severity
4.3MEDIUMNVD
EPSS
0.1%
top 69.77%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins CredentialsJenkins Project Jenkins Credentials Plugin
Timeline
PublishedMay 21
Latest updateMay 24

Description

Jenkins Credentials Plugin 2.1.18 and earlier allowed users with permission to create or update credentials to confirm the existence of files on the Jenkins master with an attacker-specified path, and obtain the certificate content of files containing a PKCS#12 certificate.

CVSS vector

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

CVEListV5jenkins_project/jenkins_credentials_plugin2.1.18 and earlier

🔴Vulnerability Details

4
GHSA
Insertion of Sensitive Information into Externally-Accessible File or Directory in Jenkins Credentials Plugin2022-05-24
OSV
Insertion of Sensitive Information into Externally-Accessible File or Directory in Jenkins Credentials Plugin2022-05-24
OSV
mariadb vulnerabilities2019-11-20
CVEList
CVE-2019-10320: Jenkins Credentials Plugin 22019-05-21

📋Vendor Advisories

2
Red Hat
jenkins-credentials-plugin: Certificate file read vulnerability in Credentials Plugin (SECURITY-1322)2019-05-21
Jenkins
Jenkins Security Advisory 2019-05-212019-05-21

💬Community

1
Bugzilla
CVE-2019-10320 jenkins-credentials-plugin: Certificate file read vulnerability in Credentials Plugin (SECURITY-1322)2019-05-27
CVE-2019-10320 — Jenkins Credentials vulnerability | cvebase