[JENKINS:SECURITY-845] Publish Over Dropbox Plugin stored credentials in plain text
Severity
Low
Affected Packages
2
Fixed Packages
2
Publish Over Dropbox Plugin stored authorization code and access code unencrypted in its global configuration file on the Jenkins controller.
These secrets could be viewed by users with access to the Jenkins controller file system.
Additionally, the authorization code was not masked from view using a password form field.
The plugin now stores these secrets encrypted in the configuration files on disk and no longer transfers the authorization code to users viewing the configuration form in plain text.
Package | Affected Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/publish-over-dropbox | <= 1.2.4 |
pkg:github/jenkinsci/publish-over-dropbox-plugin | <= 1.2.4 |
Package | Fixed Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/publish-over-dropbox | = 1.2.5 |
pkg:github/jenkinsci/publish-over-dropbox-plugin | = 1.2.5 |
- ID
- JENKINS:SECURITY-845
- Severity
- low
- Published
-
2018-09-25T00:00:00
(6 years ago) - Modified
-
2018-09-25T00:00:00
(6 years ago) - Rights
- Jenkins Security Team
Source | # ID | Name | URL |
---|---|---|---|
Plugin repository | publish-over-dropbox repository | https://github.com/jenkinsci/publish-over-dropbox-plugin |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.jenkins-ci.plugins/publish-over-dropbox | org.jenkins-ci.plugins | publish-over-dropbox | <= 1.2.4 | |||
Fixed | pkg:maven/org.jenkins-ci.plugins/publish-over-dropbox | org.jenkins-ci.plugins | publish-over-dropbox | = 1.2.5 | |||
Affected | pkg:github/jenkinsci/publish-over-dropbox-plugin | jenkinsci | publish-over-dropbox-plugin | <= 1.2.4 | |||
Fixed | pkg:github/jenkinsci/publish-over-dropbox-plugin | jenkinsci | publish-over-dropbox-plugin | = 1.2.5 |