The Total Economic Impact of CloudBees - commissioned study shows cost savings of $30.9 million using CloudBees for CI/CD →

CloudBees Security Advisory 2017-08-08

This advisory announces a vulnerability in the SAML Plugin.

SAML Plugin stored keystore and private key passwords in plain text

JENKINS-46007

The SAML Plugin stored passwords unencrypted as part of its configuration. This allowed users with Jenkins master local file system access and Jenkins administrators to retrieve the stored password. The latter could result in exposure of the passwords through browser extensions, cross-site scripting vulnerabilities, and similar situations.

The SAML Plugin now stores passwords encrypted, and only transfers encrypted values as part of the configuration form after the initial configuration.

Severity

  • JENKINS-46007: low .

All versions of SAML Plugin up to and including 1.0.2 are affected.

Fix

Users of SAML Plugin should update it to version 1.0.3 or newer. Please be aware that version 1.0.3 of the plugin requires a Jenkins Core 2.60.1 or newer, which means this version can only be installed in:

  • CloudBees Jenkins Enterprise 1.7.1 or newer.

  • CloudBees Jenkins Platform 2.60.1.1 or newer (rolling train).

  • CloudBees Jenkins Team 2.60.1.1 or newer.

More Security Advisories

From code to customer.

Continuously advancing your business.

© 2024 CloudBees, Inc., CloudBees® and the Infinity logo® are registered trademarks of CloudBees, Inc. in the United States and may be registered in other countries. Other products or brand names may be trademarks or registered trademarks of CloudBees, Inc. or their respective holders. Jenkins® is a registered trademark of LF Charities Inc.