Bug 1032391 (CVE-2013-6372) - CVE-2013-6372 Jenkins: insecure storage of passwords in Subversion plugin (SECURITY-58)
Summary: CVE-2013-6372 Jenkins: insecure storage of passwords in Subversion plugin (SE...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2013-6372
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1033371 1033372 1033373
Blocks: 1032405 1103334
TreeView+ depends on / blocked
 
Reported: 2013-11-20 05:27 UTC by Kurt Seifried
Modified: 2019-09-29 13:10 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2014-10-28 22:54:37 UTC


Attachments (Terms of Use)

Description Kurt Seifried 2013-11-20 05:27:37 UTC
Kohsuke Kawaguchi reports:

Insecure storage of passwords in Subversion plugin.

Description
Just noticed, that ssh-key passphrases in <JOB>/subversion.credentials are only coded in base64 an can easily be decoded.
maybe this is fixed already. My setup is old and grown over time. Although i am running 1.500 the config-files may be old.
i did run the "re-keying" process, as jenkins told me to do. Nevertheless, passphrases are still stored in base64

This was originally reported by Lennart Starr

Comment 2 Vincent Danen 2013-11-21 19:01:00 UTC
This is now public:

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-11-20

Comment 5 Kurt Seifried 2014-06-25 07:24:36 UTC
Statement:

Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support
and maintenance life cycle. This has been rated as having Moderate security
impact and is not currently planned to be addressed in future updates. For
additional information, refer to the Red Hat OpenShift Enterprise Life Cycle:
https://access.redhat.com/site/support/policy/updates/openshift.

Comment 6 Kurt Seifried 2014-10-28 22:54:37 UTC
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 2.1

Via RHBA-2014:1630 https://rhn.redhat.com/errata/RHBA-2014-1630.html


Note You need to log in before you can comment on or make changes to this bug.