CVE-2013-6372 — Jenkins Subversion Plugin Stores Credentials with Base64 Encoding

Description

The Subversion plugin before 1.54 for Jenkins stores credentials using base64 encoding, which allows local users to obtain passwords and SSH private keys by reading a subversion.credentials file.

How to fix CVE-2013-6372

To remediate CVE-2013-6372, upgrade the affected package to a fixed version below.

Maven/org.jenkins-ci.plugins:subversion—upgrade to 1.54 or later

Is CVE-2013-6372 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.54

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

References (7)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2013-6372
PATCHgithub.com/jenkinsci/subversion-plugin
WEBaccess.redhat.com/errata/RHBA-2014:1630
WEBaccess.redhat.com/security/cve/CVE-2013-6372
WEB