Allele Security Alert
ASA-2019-00101, SECURITY-602, CVE-2019-1003018
GitHub Authentication Plugin showed plain text client secret in configuration form
GitHub Authentication Plugin up to and including 0.29
GitHub Authentication Plugin version 0.31
Proof of concept
GitHub Authentication Plugin stores the client secret in the global Jenkins configuration.
While the client secret is stored encrypted on disk, it was transmitted in plain text as part of the configuration form and displayed without masking. This could result in exposure of the client secret through browser extensions, cross-site scripting vulnerabilities, and similar situations.
GitHub Authentication Plugin now encrypts the client secret transmitted to administrators viewing the global security configuration form.
R. Tyler Croy (CloudBees, Inc)
Jenkins Security Advisory 2019-01-28
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: February 24, 2019