The following flaw was found in Jenkins:
Secrets such as passwords are typically stored on disk and sent to users as part of some pages in encrypted form. These were encrypted using AES-128 ECB without IV, which exposes Jenkins and the stored secrets to unnecessary risks. Jenkins now encrypts secrets using AES-128 CBC with random IV.
Created jenkins tracking bugs for this issue:
Affects: fedora-all [bug 1418736]