CVE-2019-10348 — Jenkins Gogs Plugin stored credentials in plain text

Description

Jenkins Gogs Plugin stored credentials unencrypted in job `config.xml` files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. Gogs Plugin now stores credentials encrypted.

How to fix CVE-2019-10348

To remediate CVE-2019-10348, upgrade the affected package to a fixed version below.

—upgrade to 1.0.15 or later

Is CVE-2019-10348 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.0.15

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10348
WEBgithub.com/jenkinsci/gogs-webhook-plugin/commit/34de11fe0822864c4c340b395dadebca8cb11844
WEBjenkins.io/security/advisory/2019-07-11/#SECURITY-1438
WEBwww.openwall.com/lists/oss-security/2019/07/11/4