Allele Security Alert
ASA-2019-00601
Identifier(s)
ASA-2019-00601, CVE-2019-10461, SECURITY-1477
Title
Stored credentials in plain text
Vendor(s)
Dynatrace Development Team
Dariusz Glugla
Piotr Lugowsk
Product(s)
Jenkins Dynatrace Application Monitoring Plugin
Affected version(s)
Jenkins Dynatrace Application Monitoring Plugin versions before 2.1.4
Fixed version(s)
Jenkins Dynatrace Application Monitoring Plugin version 2.1.4
Proof of concept
Unknown
Description
Dynatrace Application Monitoring Plugin stored a credential unencrypted in its global configuration file com.dynatrace.jenkins.dashboard.TAGlobalConfiguration.xml on the Jenkins master. This credential could be viewed by users with access to the master file system.
Technical details
Unknown
Credits
Viktor Gazdag (NCC Group)
Reference(s)
Jenkins Security Advisory 2019-10-23
https://jenkins.io/security/advisory/2019-10-23/#SECURITY-1477
Jenkins security advisory
https://groups.google.com/d/msg/jenkinsci-advisories/KCv6eDsiV3Y/GNr0aDC3AQAJ
oss-security – Multiple vulnerabilities in Jenkins plugins
https://www.openwall.com/lists/oss-security/2019/10/23/2
Jenkins Plugins
https://plugins.jenkins.io/dynatrace-dashboard
Bugfix/august2019 #18
https://github.com/jenkinsci/dynatrace-plugin/pull/18
Bugfix/august2019 (#18)
https://github.com/jenkinsci/dynatrace-plugin/commit/373adaa1161d59ccd4e5e3469a9b6aeec17968ae
Bugfix/august2019 #18
https://github.com/jenkinsci/dynatrace-plugin/pull/18/commits/e6914f5e3cb1abf6ad5709726ec649d9629c662f
CVE-2019-10461
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-10461
CVE-2019-10461
https://nvd.nist.gov/vuln/detail/CVE-2019-10461
If there is any error in this alert or you wish a comprehensive analysis, let us know.
Last modified: November 4, 2019