CVE-2019-10318: Insufficiently Protected Credentials

May 24, 2022 (updated October 26, 2023)

Jenkins Azure AD Plugin 0.3.3 and earlier stored the client secret unencrypted in the global config.xml configuration file on the Jenkins master where it could be viewed by users with access to the master file system.

References

www.openwall.com/lists/oss-security/2019/04/30/5
github.com/advisories/GHSA-jcwj-j574-8j2c
jenkins.io/security/advisory/2019-04-30/
nvd.nist.gov/vuln/detail/CVE-2019-10318
web.archive.org/web/20200227073756/http://www.securityfocus.com/bid/108159

Code Behaviors & Features

Detect and mitigate CVE-2019-10318 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →