CVE-2019-10366 — Skytap Cloud CI Plugin stored credentials in plain text

Description

Jenkins Skytap Cloud CI Plugin 2.06 and earlier stored credentials unencrypted in job config.xml files on the Jenkins master where they could be viewed by users with Extended Read permission, or access to the master file system.

How to fix CVE-2019-10366

To remediate CVE-2019-10366, upgrade the affected package to a fixed version below.

—upgrade to 2.07 or later

Is CVE-2019-10366 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.07

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (6)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10366
PATCHgithub.com/jenkinsci/skytap-cloud-plugin
WEBgithub.com/jenkinsci/skytap-cloud-plugin/commit/167986a84d1d15b525eaf0232b1c1a7c47aef670
WEBjenkins.io/security/advisory/2019-07-31/#SECURITY-1429