Allele Security Alert
ASA-2019-00104
Identifier(s)
ASA-2019-00104, SECURITY-886, CVE-2019-1003021
Title
OpenId Connect Authentication Plugin showed plain text client secret in configuration form
Vendor(s)
Jenkins project
Product(s)
Jenkins OpenId Connect Authentication
Affected version(s)
OpenId Connect Authentication up to and including 1.4
Fixed version(s)
OpenId Connect Authentication version 1.5
Proof of concept
Unknown
Description
OpenId Connect Authentication Plugin stores the client secret in the global Jenkins configuration.
While the client secret is stored encrypted on disk, it was transmitted in plain text as part of the configuration form and displayed without masking. This could result in exposure of the client secret through browser extensions, cross-site scripting vulnerabilities, and similar situations.
The OpenId Connect Authentication Plugin now encrypts the client secret transmitted to administrators viewing the global configuration form.
Technical details
Unknown
Credits
James Nord (CloudBees, Inc)
Reference(s)
Jenkins Security Advisory 2019-01-28
https://jenkins.io/security/advisory/2019-01-28
OpenId Connect Authentication
https://plugins.jenkins.io/oic-auth
CVE-2019-1003021
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-1003021
CVE-2019-1003021
https://nvd.nist.gov/vuln/detail/CVE-2019-1003021
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: March 6, 2019