ASA-2019-00101 – Jenkins: GitHub Authentication Plugin showed plain text client secret in configuration form


Allele Security Alert

ASA-2019-00101

Identifier(s)

ASA-2019-00101, SECURITY-602, CVE-2019-1003018

Title

GitHub Authentication Plugin showed plain text client secret in configuration form

Vendor(s)

CloudBees, Inc

Product(s)

Jenkins

Affected version(s)

GitHub Authentication Plugin up to and including 0.29

Fixed version(s)

GitHub Authentication Plugin version 0.31

Proof of concept

Unknown

Description

GitHub Authentication Plugin stores the client secret in the global Jenkins configuration.

While the client secret is stored encrypted on disk, it was transmitted in plain text as part of the configuration form and displayed without masking. This could result in exposure of the client secret through browser extensions, cross-site scripting vulnerabilities, and similar situations.

GitHub Authentication Plugin now encrypts the client secret transmitted to administrators viewing the global security configuration form.

Technical details

Unknown

Credits

R. Tyler Croy (CloudBees, Inc)

Reference(s)

Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28

Jenkins Plugins
https://plugins.jenkins.io/github-oauth

CVE-2019-1003018
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003018

CVE-2019-1003018
https://nvd.nist.gov/vuln/detail/CVE-2019-1003018

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: February 24, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.