CVE-2019-10398 — Jenkins Beaker Builder Plugin has Insufficiently Protected Credentials

Description

Beaker builder Plugin stored the Beaker password unencrypted on the Jenkins controller. This password could be viewed by users with access to the Jenkins controller file system. Beaker builder Plugin now stores these credentials encrypted.

How to fix CVE-2019-10398

To remediate CVE-2019-10398, upgrade the affected package to a fixed version below.

—upgrade to 1.10 or later

Is CVE-2019-10398 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.10

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.3	CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10398
WEBgithub.com/jenkinsci/beaker-builder-plugin/commit/be0101f3541a5d2c28cf226c8b2e55cd4cfc94da
WEBjenkins.io/security/advisory/2019-09-12/#SECURITY-1545
WEBwww.openwall.com/lists/oss-security/2019/09/12/2