CVE-2019-10316 — Jenkins Aqua MicroScanner Plugin stored credentials in plain text

Description

Jenkins Aqua MicroScanner Plugin stored credentials unencrypted in its global configuration file on the Jenkins controller. These credentials could be viewed by users with access to the Jenkins controller file system. Aqua MicroScanner Plugin now stores credentials encrypted.

How to fix CVE-2019-10316

To remediate CVE-2019-10316, upgrade the affected package to a fixed version below.

—upgrade to 1.0.6 or later

Is CVE-2019-10316 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.0.6

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.3	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10316
WEBjenkins.io/security/advisory/2019-04-30/#SECURITY-1380
WEBweb.archive.org/web/20200227073756/http://www.securityfocus.com/bid/108159
WEBwww.openwall.com/lists/oss-security/2019/04/30/5