CVE-2019-16556

CWE-522Insufficiently Protected Credentials5 documents5 sources
Severity
6.5MEDIUM
EPSS
0.0%
top 85.44%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins Project Jenkins Rundeck PluginJenkins Rundeck
Timeline
PublishedDec 17
Latest updateMay 24

Description

Jenkins Rundeck Plugin 3.6.5 and earlier stores credentials unencrypted in its global configuration file and in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

CVEListV5jenkins_project/jenkins_rundeck_pluginunspecified3.6.5
NVDjenkins/rundeck3.6.5

🔴Vulnerability Details

3
GHSA
Jenkins Rundeck Plugin stored credentials in plain text2022-05-24
OSV
Jenkins Rundeck Plugin stored credentials in plain text2022-05-24
CVEList
CVE-2019-16556: Jenkins Rundeck Plugin 32019-12-17

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2019-12-172019-12-17
CVE-2019-16556 (MEDIUM CVSS 6.5) | Jenkins Rundeck Plugin 3.6.5 and ea | cvebase.io