Unprotected storage of credentials in Jenkins NS-ND Integration Performance Publisher plugin
| Risk | Low |
| Patch available | YES |
| Number of vulnerabilities | 1 |
| CVE-ID | CVE-2023-33000 |
| CWE-ID | CWE-256 |
| Exploitation vector | Network |
| Public exploit | N/A |
| Vulnerable software |
NS-ND Integration Performance Publisher Web applications / Modules and components for CMS |
| Vendor | Jenkins |
Security Bulletin
This security bulletin contains one low risk vulnerability.
1) Unprotected storage of credentials
EUVDB-ID: #VU76300
Risk: Low
CVSSv4.0: 0.5 [CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]
CVE-ID: CVE-2023-33000
CWE-ID:
CWE-256 - Unprotected Storage of Credentials
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to gain access to sensitive information on the system.
The vulnerability exists due to the affected plugin stores credentials in job config.xml files on the Jenkins controller as part of its configuration. A remote attacker can gain access to sensitive information.
MitigationInstall updates from vendor's website.
Vulnerable software versionsNS-ND Integration Performance Publisher: 4.8.0.149
CPE2.3- cpe:2.3:a:jenkins:ns-nd_integration_performance_publisher:*:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins:ns-nd_integration_performance_publisher:4.8.0.149:*:*:*:*:*:*:*
https://jenkins.io/security/advisory/2023-05-16/
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
