Skip to content

Jenkins OpenId Connect Authentication Plugin showed plain text client secret in configuration form

Moderate severity GitHub Reviewed Published May 13, 2022 to the GitHub Advisory Database • Updated Jan 30, 2024

Package

maven org.jenkins-ci.plugins:oic-auth (Maven)

Affected versions

<= 1.4

Patched versions

1.5

Description

An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret.

References

Published by the National Vulnerability Database Feb 6, 2019
Published to the GitHub Advisory Database May 13, 2022
Last updated Jan 30, 2024
Reviewed Jan 30, 2024

Severity

Moderate
4.3
/ 10

CVSS base metrics

Attack vector
Network
Attack complexity
Low
Privileges required
None
User interaction
Required
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

Weaknesses

CVE ID

CVE-2019-1003021

GHSA ID

GHSA-3858-58w9-wpcg

Source code

No known source code
Checking history
See something to contribute? Suggest improvements for this vulnerability.