CVE-2019-10416 — Violation Comments to GitLab Plugin has Insufficiently Protected Credentials

Description

Violation Comments to GitLab Plugin stored API tokens unencrypted in job `config.xml` files and its global configuration file `org.jenkinsci.plugins.jvctgl.ViolationsToGitLabGlobalConfiguration.xml` on the Jenkins controller. These credentials could be viewed by users with Extended Read permission, or access to the Jenkins controller file system. Violation Comments to GitLab Plugin now stores these credentials encrypted. Existing jobs need to have their configuration saved for existing plain text credentials to be overwritten.

How to fix CVE-2019-10416

To remediate CVE-2019-10416, upgrade the affected package to a fixed version below.

—upgrade to 2.29 or later

Is CVE-2019-10416 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.29

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-10416
WEBgithub.com/jenkinsci/violation-comments-to-gitlab-plugin/commit/e8237a803012bae7773d8bd10fe02e21892be3fe
WEBjenkins.io/security/advisory/2019-09-25/#SECURITY-1577
WEBwww.openwall.com/lists/oss-security/2019/09/25/3