[JENKINS:SECURITY-1427] `neoload-jenkins-plugin` stored credentials in plain text

Severity Medium

Affected Packages 2

Fixed Packages 2

CVEs 1

neoload-jenkins-plugin stored credentials unencrypted in its global configuration file org.jenkinsci.plugins.neoload.integration.NeoGlobalConfig.xml and in job config.xml files on the Jenkins controller.
These credentials could be viewed by users with Extended Read permission or access to the Jenkins controller file system.

neoload-jenkins-plugin now stores these credentials encrypted.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/neoload-jenkins-plugin	<= 2.2.5
pkg:github/jenkinsci/neoload-jenkins-plugin-plugin	<= 2.2.5

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/neoload-jenkins-plugin	= 2.2.6
pkg:github/jenkinsci/neoload-jenkins-plugin-plugin	= 2.2.6

ID

JENKINS:SECURITY-1427

Severity

medium

Published

2019-10-16T00:00:00
(5 years ago)

Modified

2019-10-16T00:00:00
(5 years ago)

Rights

Jenkins Security Team

Other Advisories

MAVEN:GHSA-98P6-6428-77V7

Source	# ID	Name	URL
Plugin repository		neoload-jenkins-plugin repository	https://github.com/jenkinsci/neoload-jenkins-plugin-plugin

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.plugins/neoload-jenkins-plugin	org.jenkins-ci.plugins	neoload-jenkins-plugin	<= 2.2.5
Fixed	pkg:maven/org.jenkins-ci.plugins/neoload-jenkins-plugin	org.jenkins-ci.plugins	neoload-jenkins-plugin	= 2.2.6
Affected	pkg:github/jenkinsci/neoload-jenkins-plugin-plugin	jenkinsci	neoload-jenkins-plugin-plugin	<= 2.2.5
Fixed	pkg:github/jenkinsci/neoload-jenkins-plugin-plugin	jenkinsci	neoload-jenkins-plugin-plugin	= 2.2.6

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date