Bug 1732346 (CVE-2019-1010241) - CVE-2019-1010241 jenkins-plugin-credentials-binding: storing passwords in recoverable format leading to authenticated users being able to recover credentials
Summary: CVE-2019-1010241 jenkins-plugin-credentials-binding: storing passwords in rec...
Keywords:
Status: NEW
Alias: CVE-2019-1010241
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 1732347
TreeView+ depends on / blocked
 
Reported: 2019-07-23 08:13 UTC by Marian Rehak
Modified: 2019-09-29 15:18 UTC (History)
13 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Marian Rehak 2019-07-23 08:13:07 UTC
Jenkins Credentials Binding Plugin Jenkins 1.17 is affected by: CWE-257: Storing Passwords in a Recoverable Format. The impact is: Authenticated users can recover credentials. The component is: config-variables.jelly line #30 (passwordVariable). The attack vector is: Attacker creates and executes a Jenkins job.

External References:

https://docs.google.com/document/d/1MBEoJSMvkjp5Kua0bRD_kiDBisL0fOCwTL9uMWj4lGA

Comment 1 Akram Ben Aissi 2019-07-24 10:32:51 UTC
This is fixed upstream here: https://issues.jenkins-ci.org/browse/JENKINS-42950


We need to bump to version 1.19 of the Credentials Binding Plugin
Our current version of the plugin is credentials-binding:1.15

Comment 2 Sam Fowler 2019-08-05 01:23:44 UTC
In reply to comment #1:
> This is fixed upstream here:
> https://issues.jenkins-ci.org/browse/JENKINS-42950

This seems like a different issue to me. Perhaps JENKINS-42950 should have its own CVE assigned, we should contact upstream for clarification.

Comment 13 Gabe Montero 2019-09-20 11:31:12 UTC
@Eric you can manipulate the permissions that jenkins users have with our login plugin such that they cannot view jenkins credentials,
and you can do this such that those permissions are in place prior to the initial launch of jenkins.

Also remember, OpenShift users can create / start pipeline jobs without having to log into the Jenkins console.

And lastly, rather than a centralized Jenkins server, a cluster admin can provision a Jenkins server for each dev
if they like (at much less memory most likey than a shared, common, Jenkins server).  These Jenkins servers 
could then only contain the credentials the give developer is allowed to look at.

So the KCS article that Akram is working describes these workarounds.


Note You need to log in before you can comment on or make changes to this bug.