Bug 1032391 - (CVE-2013-6372) CVE-2013-6372 Jenkins: insecure storage of passwords in Subversion plugin (SECURITY-58)
CVE-2013-6372 Jenkins: insecure storage of passwords in Subversion plugin (SE...
Status: CLOSED ERRATA
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
unspecified
All Linux
low Severity low
: ---
: ---
Assigned To: Red Hat Product Security
impact=low,public=20131121,reported=2...
: Security
Depends On: 1033371 1033372 1033373
Blocks: 1032405 1103334
  Show dependency treegraph
 
Reported: 2013-11-20 00:27 EST by Kurt Seifried
Modified: 2014-10-29 08:15 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2014-10-28 18:54:37 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Kurt Seifried 2013-11-20 00:27:37 EST
Kohsuke Kawaguchi reports:

Insecure storage of passwords in Subversion plugin.

Description
Just noticed, that ssh-key passphrases in <JOB>/subversion.credentials are only coded in base64 an can easily be decoded.
maybe this is fixed already. My setup is old and grown over time. Although i am running 1.500 the config-files may be old.
i did run the "re-keying" process, as jenkins told me to do. Nevertheless, passphrases are still stored in base64

This was originally reported by Lennart Starr
Comment 2 Vincent Danen 2013-11-21 14:01:00 EST
This is now public:

https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-11-20
Comment 5 Kurt Seifried 2014-06-25 03:24:36 EDT
Statement:

Red Hat OpenShift Enterprise 1.2 is now in Production 1 Phase of the support
and maintenance life cycle. This has been rated as having Moderate security
impact and is not currently planned to be addressed in future updates. For
additional information, refer to the Red Hat OpenShift Enterprise Life Cycle:
https://access.redhat.com/site/support/policy/updates/openshift.
Comment 6 Kurt Seifried 2014-10-28 18:54:37 EDT
This issue has been addressed in the following products:

  Red Hat OpenShift Enterprise 2.1

Via RHBA-2014:1630 https://rhn.redhat.com/errata/RHBA-2014-1630.html

Note You need to log in before you can comment on or make changes to this bug.