[JENKINS:SECURITY-1504] `neuvector-vulnerability-scanner` stored credentials in plain text

Severity Low

Affected Packages 2

Fixed Packages 2

CVEs 1

neuvector-vulnerability-scanner stored registry credentials unencrypted in its global configuration file io.jenkins.plugins.neuvector.NeuVectorBuilder.xml on the Jenkins controller.
These credentials could be viewed by users with access to the Jenkins controller file system.

neuvector-vulnerability-scanner now stores these credentials encrypted.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/neuvector-vulnerability-scanner	<= 1.5
pkg:github/jenkinsci/neuvector-vulnerability-scanner-plugin	<= 1.5

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/neuvector-vulnerability-scanner	= 1.6
pkg:github/jenkinsci/neuvector-vulnerability-scanner-plugin	= 1.6

ID

JENKINS:SECURITY-1504

Severity

low

Published

2019-09-25T00:00:00
(5 years ago)

Modified

2019-09-25T00:00:00
(5 years ago)

Rights

Jenkins Security Team

Other Advisories

MAVEN:GHSA-3FPX-G9H3-HH8X

Source	# ID	Name	URL
Plugin repository		neuvector-vulnerability-scanner repository	https://github.com/jenkinsci/neuvector-vulnerability-scanner-plugin

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.plugins/neuvector-vulnerability-scanner	org.jenkins-ci.plugins	neuvector-vulnerability-scanner	<= 1.5
Fixed	pkg:maven/org.jenkins-ci.plugins/neuvector-vulnerability-scanner	org.jenkins-ci.plugins	neuvector-vulnerability-scanner	= 1.6
Affected	pkg:github/jenkinsci/neuvector-vulnerability-scanner-plugin	jenkinsci	neuvector-vulnerability-scanner-plugin	<= 1.5
Fixed	pkg:github/jenkinsci/neuvector-vulnerability-scanner-plugin	jenkinsci	neuvector-vulnerability-scanner-plugin	= 1.6

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date