ASA-2019-00599 – Jenkins Bitbucket OAuth Plugin: Stored credentials in plain text

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00599

Identifier(s)

ASA-2019-00599, CVE-2019-10460, SECURITY-1546

Title

Stored credentials in plain text

Vendor(s)

mallowlabs

Product(s)

Jenkins Bitbucket OAuth Plugin

Affected version(s)

Jenkins Bitbucket OAuth Plugin before version 0.10

Fixed version(s)

Jenkins Bitbucket OAuth Plugin version 0.10

Proof of concept

Unknown

Description

Bitbucket OAuth Plugin stored a credential unencrypted in the global config.xml configuration file on the Jenkins master. This credential could be viewed by users with access to the master file system. Bitbucket OAuth Plugin now stores this credential encrypted.

Technical details

Unknown

Credits

James Holderness (IB Boost)

Reference(s)

Jenkins Security Advisory 2019-10-23
https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1546

oss-security – Multiple vulnerabilities in Jenkins plugins
https://www.openwall.com/lists/oss-security/2019/10/23/2

Jenkins security advisory
https://groups.google.com/d/msg/jenkinsci-advisories/KCv6eDsiV3Y/GNr0aDC3AQAJ

Jenkins Plugins
https://plugins.jenkins.io/bitbucket-oauth

[SECURITY-1546] fix client secret is saved in plain text
https://github.com/jenkinsci/bitbucket-oauth-plugin/commit/f55d222db910220ca8cd8631fb746c98b9e12870

CVE-2019-10460
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10460

CVE-2019-10460
https://nvd.nist.gov/vuln/detail/CVE-2019-10460

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: November 4, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.