ASA-2019-00600 – Jenkins Zulip Plugin: Stored credentials in plain text

Posted on by Allele Security Intelligence in Alerts

Allele Security Alert

ASA-2019-00600

Identifier(s)

ASA-2019-00600, CVE-2019-10476, SECURITY-1621

Title

Stored credentials in plain text

Vendor(s)

Waseem Daher

Milan Koníř

Product(s)

Jenkins Zulip Plugin

Affected version(s)

Jenkins Zulip Plugin before version 1.1.1

Fixed version(s)

Jenkins Zulip Plugin version 1.1.1

Proof of concept

Unknown

Description

Zulip Plugin stored a credential unencrypted in its global configuration file jenkins.plugins.zulip.ZulipNotifier.xml, as well as in the legacy configuration file hudson.plugins.humbug.HumbugNotifier.xml on the Jenkins master. This credential could be viewed by users with access to the master file system.

Technical details

Unknown

Credits

Wasin Saengow

Reference(s)

Jenkins Security Advisory 2019-10-23
https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1621

oss-security – Multiple vulnerabilities in Jenkins plugins
https://www.openwall.com/lists/oss-security/2019/10/23/2

Jenkins security advisory
https://groups.google.com/d/msg/jenkinsci-advisories/KCv6eDsiV3Y/GNr0aDC3AQAJ

Jenkins Plugins
https://plugins.jenkins.io/zulip

SECURITY-1621 Store global config API key as Secret
https://github.com/jenkinsci/zulip-plugin/commit/2a9dd6c41c2d913b0414d015b3118e3ddb60bd90

CVE-2019-10476
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10476

CVE-2019-10476
https://nvd.nist.gov/vuln/detail/CVE-2019-10476

If there is any error in this alert or you wish a comprehensive analysis, let us know.

Last modified: November 4, 2019

We are not responsible for any data loss, device corruption or any other type of issue due to the use of any information mentioned in our security alerts.