1. Home
  2. Security Advisories
  3. Jenkins
  4. JENKINS:SECURITY-1574

[JENKINS:SECURITY-1574] `git-changelog` stored credentials in plain text

Severity Medium
Affected Packages 2
Fixed Packages 2
CVEs 1
Info Packages References Vulnerabilities

git-changelog stored MediaWiki and Jira passwords unencrypted in job config.xml files on the Jenkins controller.
These passwords could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

git-changelog now stores these passwords encrypted.
Existing jobs need to have their configuration saved for existing plain text passwords to be overwritten.

Package Affected Version
pkg:maven/org.jenkins-ci.plugins/git-changelog <= 2.17
pkg:github/jenkinsci/git-changelog-plugin <= 2.17
Package Fixed Version
pkg:maven/org.jenkins-ci.plugins/git-changelog = 2.18
pkg:github/jenkinsci/git-changelog-plugin = 2.18
ID
JENKINS:SECURITY-1574
Severity
medium
Published
2019-09-25T00:00:00
(5 years ago)
Modified
2019-09-25T00:00:00
(5 years ago)
Rights
Jenkins Security Team
Other Advisories
Source # ID Name URL
Plugin repository git-changelog repository https://github.com/jenkinsci/git-changelog-plugin
Type Package URL Namespace Name / Product Version Distribution / Platform Arch Patch / Fix
Affected pkg:maven/org.jenkins-ci.plugins/git-changelog org.jenkins-ci.plugins git-changelog <= 2.17
Fixed pkg:maven/org.jenkins-ci.plugins/git-changelog org.jenkins-ci.plugins git-changelog = 2.18
Affected pkg:github/jenkinsci/git-changelog-plugin jenkinsci git-changelog-plugin <= 2.17
Fixed pkg:github/jenkinsci/git-changelog-plugin jenkinsci git-changelog-plugin = 2.18
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories Exploits PoC Pubblication Date Modification Date
# CVE Description CVSS EPSS EPSS Trend (30 days) Affected Products Weaknesses Security Advisories PoC Pubblication Date Modification Date