Credential unencrypted in job config.xml files on the Jenkins master if the 'Override Credentials' option is used. This credential can be viewed by users with Extended Read permission or access to the master file system.
Tag: Information Disclosure
ASA-2019-00601 – Jenkins Dynatrace Application Monitoring Plugin: Stored credentials in plain text
Dynatrace Application Monitoring Plugin stored a credential unencrypted in its global configuration file com.dynatrace.jenkins.dashboard.TAGlobalConfiguration.xml on the Jenkins master. This credential could be viewed by users with access to the master file system.
ASA-2019-00600 – Jenkins Zulip Plugin: Stored credentials in plain text
Zulip Plugin stored a credential unencrypted in its global configuration file jenkins.plugins.zulip.ZulipNotifier.xml, as well as in the legacy configuration file hudson.plugins.humbug.HumbugNotifier.xml on the Jenkins master. This credential could be viewed by users with access to the master file system.
ASA-2019-00599 – Jenkins Bitbucket OAuth Plugin: Stored credentials in plain text
Bitbucket OAuth Plugin stored a credential unencrypted in the global config.xml configuration file on the Jenkins master. This credential could be viewed by users with access to the master file system. Bitbucket OAuth Plugin now stores this credential encrypted.
ASA-2019-00598 – Jenkins Mattermost Notification Plugin: Stored webhook endpoint token in plain text
Mattermost allows the definition of incoming (from the perspective of the service) webhook URLs. These contain what is effectively a secret token as part of the URL. Mattermost Notification Plugin stored these webhook URLs as part of its global configuration file jenkins.plugins.mattermost.MattermostNotifier.xml and job config.xml files on the Jenkins master. These URLs could be viewed by users with Extended Read permission (in the case of job config.xml files) or access to the master file system.
ASA-2019-00587 – Kubernetes kube-state-metrics: New feature exposing annotations as metrics can lead to information disclosure
A security issue was discovered in kube-state-metrics 1.7.x before 1.7.2. An experimental feature was added to v1.7.0 and v1.7.1 that enabled annotations to be exposed as metrics. By default, kube-state-metrics metrics only expose metadata about Secrets. However, a combination of the default kubectl behavior and this new feature can cause the entire secret content to end up in metric labels, thus inadvertently exposing the secret content in metrics.
ASA-2019-00585 – TYPO3 extension Direct Mail (direct_mail): Information Disclosure
A missing access check in the backend module of the extension allows a backend user without access to configured tables (e.g. fe_users, tt_address) to view and export data of users subscribed to a newsletter.
ASA-2019-00574 – libssh2: Out-of-bounds read when connecting to a malicious SSH server
There is an out-of-bounds read vulnerability, potentially leading to either denial of service or remote information disclosure. It is triggered when libssh2 is used to connect to a malicious SSH server. The overflow occurs when the SSH server sends a disconnect message, which means that the vulnerability can be triggered early in the connection process, before authentication is completed.