Allele Security Alert
ASA-2019-00104, SECURITY-886, CVE-2019-1003021
OpenId Connect Authentication Plugin showed plain text client secret in configuration form
Jenkins OpenId Connect Authentication
OpenId Connect Authentication up to and including 1.4
OpenId Connect Authentication version 1.5
Proof of concept
OpenId Connect Authentication Plugin stores the client secret in the global Jenkins configuration.
While the client secret is stored encrypted on disk, it was transmitted in plain text as part of the configuration form and displayed without masking. This could result in exposure of the client secret through browser extensions, cross-site scripting vulnerabilities, and similar situations.
The OpenId Connect Authentication Plugin now encrypts the client secret transmitted to administrators viewing the global configuration form.
James Nord (CloudBees, Inc)
Jenkins Security Advisory 2019-01-28
OpenId Connect Authentication
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 6, 2019