Jenkins PAM Auth Info Disclosure (CVE-2019-10319) and Credentials Plugin Vulnerability (CVE-2019-10320) Advisory

Jenkins Security Advisory 2019-05-21 Vulnerabilities Missing permission check allowed obtaining limited information about system configuration in PAM Authentication Plugin CVE ID: CVE-2019-10319 Severity: Medium Affected Plugin: pam-auth Description: - Missing permission check in PAM Authentication Plugin allowed users with Overall/Read permission to obtain limited information about system configuration. - This issue has been resolved by requiring Overall/Administer permission for form validation. Certificate file read vulnerability in Credentials Plugin CVE ID: CVE-2019-10320 Severity: Medium Affected Plugin: credentials Description: - Credentials Plugin allowed the creation of Certificate credentials from a PKCS#12 file on the Jenkins controller. - Users could obtain certificate content by configuring jobs to access these credentials. - Credentials Plugin no longer supports Certificate credentials from PKCS#12 files. Affected Versions Credentials Plugin: up to and including 2.1.18 PAM Authentication Plugin: up to and including 1.5 Fixes Credentials Plugin: update to version 2.1.19 PAM Authentication Plugin: update to version 1.5.1 Credit Daniel Beck, CloudBees, Inc. for SECURITY-1316 Yakov Shafranovich and Pankaj Upadhyay; T. Rowe Price Associates, Inc. for SECURITY-1322

Goal Reached Thanks to every supporter — we hit 100%!

Jenkins PAM Auth Info Disclosure (CVE-2019-10319) and Credentials Plugin Vulnerability (CVE-2019-10320) Advisory