CVE-2019-10347 — Stored credentials unencrypted in Jenkins Mashup Portlets Plugin

Description

Jenkins Mashup Portlets Plugin stored credentials unencrypted on the Jenkins master where they can be viewed by users with access to the master file system.

How to fix CVE-2019-10347

To remediate CVE-2019-10347, upgrade the affected package to a fixed version below.

Maven/javagh.jenkins:mashup-portlets-plugin—upgrade to 1.1.0 or later

Is CVE-2019-10347 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.1.0

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	HIGH8.8	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

References (5)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10347
WEBgithub.com/jenkinsci/mashup-portlets-plugin/commit/05eb9bfd5c758c8c477ce6bd4315fd65d83e9a0a
WEBjenkins.io/security/advisory/2019-07-11/#SECURITY-775
WEBwww.openwall.com/lists/oss-security/2019/07/11/4