Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker creates and executes a Jenkins job. External References: https://docs.google.com/document/d/1MBEoJSMvkjp5Kua0bRD_kiDBisL0fOCwTL9uMWj4lGA
This is fixed upstream here: https://issues.jenkins-ci.org/browse/JENKINS-42950 We need to bump to version 1.19 of the Credentials Binding Plugin Our current version of the plugin is credentials-binding:1.15
In reply to comment #1: > This is fixed upstream here: > https://issues.jenkins-ci.org/browse/JENKINS-42950 This seems like a different issue to me. Perhaps JENKINS-42950 should have its own CVE assigned, we should contact upstream for clarification.
@Eric you can manipulate the permissions that jenkins users have with our login plugin such that they cannot view jenkins credentials, and you can do this such that those permissions are in place prior to the initial launch of jenkins. Also remember, OpenShift users can create / start pipeline jobs without having to log into the Jenkins console. And lastly, rather than a centralized Jenkins server, a cluster admin can provision a Jenkins server for each dev if they like (at much less memory most likey than a shared, common, Jenkins server). These Jenkins servers could then only contain the credentials the give developer is allowed to look at. So the KCS article that Akram is working describes these workarounds.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-1010241