Allele Security Alert
ASA-2019-00599
Identifier(s)
ASA-2019-00599, CVE-2019-10460, SECURITY-1546
Title
Stored credentials in plain text
Vendor(s)
mallowlabs
Product(s)
Jenkins Bitbucket OAuth Plugin
Affected version(s)
Jenkins Bitbucket OAuth Plugin before version 0.10
Fixed version(s)
Jenkins Bitbucket OAuth Plugin version 0.10
Proof of concept
Unknown
Description
Bitbucket OAuth Plugin stored a credential unencrypted in the global config.xml configuration file on the Jenkins master. This credential could be viewed by users with access to the master file system. Bitbucket OAuth Plugin now stores this credential encrypted.
Technical details
Unknown
Credits
James Holderness (IB Boost)
Reference(s)
Jenkins Security Advisory 2019-10-23
https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1546
oss-security – Multiple vulnerabilities in Jenkins plugins
https://www.openwall.com/lists/oss-security/2019/10/23/2
Jenkins security advisory
https://groups.google.com/d/msg/jenkinsci-advisories/KCv6eDsiV3Y/GNr0aDC3AQAJ
Jenkins Plugins
https://plugins.jenkins.io/bitbucket-oauth
[SECURITY-1546] fix client secret is saved in plain text
https://github.com/jenkinsci/bitbucket-oauth-plugin/commit/f55d222db910220ca8cd8631fb746c98b9e12870
CVE-2019-10460
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10460
CVE-2019-10460
https://nvd.nist.gov/vuln/detail/CVE-2019-10460
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: November 4, 2019