CVE-2019-16557 — Jenkins Redgate SQL Change Automation Plugin has Insufficiently Protected Creden

Description

Jenkins Redgate SQL Change Automation Plugin 2.0.3 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

How to fix CVE-2019-16557

To remediate CVE-2019-16557, upgrade the affected package to a fixed version below.

—upgrade to 2.0.4 or later

Is CVE-2019-16557 being exploited?

Low — EPSS is 0.0%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 2.0.4

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM6.5	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2019-16557
WEBgithub.com/jenkinsci/redgate-sql-ci-plugin/commit/18525ee6f01a5bc36040d40f1ff63702ce7280ac
WEBjenkins.io/security/advisory/2019-12-17/#SECURITY-1598
WEBwww.openwall.com/lists/oss-security/2019/12/17/1