Bug 1732346 (CVE-2019-1010241)
Summary: | CVE-2019-1010241 jenkins-plugin-credentials-binding: storing passwords in recoverable format leading to authenticated users being able to recover credentials | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED WONTFIX | QA Contact: | |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | unspecified | CC: | abenaiss, ahardin, aos-bugs, bleanhar, bmontgom, ccoleman, dedgar, eparis, erich, gmontero, jburrell, jgoulding, jokerman, mchappel, nstielau, pbhattac, sfowler, sponnaga, vbobade |
Target Milestone: | --- | Keywords: | Reopened, Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | If docs needed, set a value | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2019-10-30 06:51:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 1732347 |
Description
Marian Rehak
2019-07-23 08:13:07 UTC
This is fixed upstream here: https://issues.jenkins-ci.org/browse/JENKINS-42950 We need to bump to version 1.19 of the Credentials Binding Plugin Our current version of the plugin is credentials-binding:1.15 In reply to comment #1: > This is fixed upstream here: > https://issues.jenkins-ci.org/browse/JENKINS-42950 This seems like a different issue to me. Perhaps JENKINS-42950 should have its own CVE assigned, we should contact upstream for clarification. @Eric you can manipulate the permissions that jenkins users have with our login plugin such that they cannot view jenkins credentials, and you can do this such that those permissions are in place prior to the initial launch of jenkins. Also remember, OpenShift users can create / start pipeline jobs without having to log into the Jenkins console. And lastly, rather than a centralized Jenkins server, a cluster admin can provision a Jenkins server for each dev if they like (at much less memory most likey than a shared, common, Jenkins server). These Jenkins servers could then only contain the credentials the give developer is allowed to look at. So the KCS article that Akram is working describes these workarounds. This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-1010241 |