CVE-2019-16542

low-risk

Published 2019-11-21

Jenkins Anchore Container Image Scanner Plugin 1.0.19 and earlier stores credentials unencrypted in job config.xml files on the Jenkins master where they can be viewed by users with Extended Read permission, or access to the master file system.

Do I need to act?

0.05% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 6.5/10 Medium

NETWORK / LOW complexity

Affected Products (1)

Anchore Container Image Scanner

Affected Vendors

Jenkins

References (4)

Mailing List http://www.openwall.com/lists/oss-security/2019/11/21/1

Vendor Advisory https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1539

Mailing List http://www.openwall.com/lists/oss-security/2019/11/21/1

Vendor Advisory https://jenkins.io/security/advisory/2019-11-21/#SECURITY-1539

/ 100

low-risk

Severity 24/34 · High

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal