Skip to main content

Testlink CVE-2019-10378

MEDIUM
Insufficiently Protected Credentials (CWE-522)
2019-08-07 jenkinsci-cert@googlegroups.com
5.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
5.3 MEDIUM
AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Attack Vector
Local
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
Low

Lifecycle Timeline

1
CVE Published
Aug 07, 2019 - 15:15 nvd
MEDIUM 5.3

DescriptionNVD

Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system.

AnalysisAI

Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. Rated medium severity (CVSS 5.3), this vulnerability is low attack complexity. No vendor patch available.

Technical ContextAI

This vulnerability is classified as Insufficiently Protected Credentials (CWE-522), which allows attackers to obtain user credentials due to weak protection mechanisms. Jenkins TestLink Plugin 3.16 and earlier stores credentials unencrypted in its global configuration file on the Jenkins master where they can be viewed by users with access to the master file system. Affected products include: Jenkins Testlink.

RemediationAI

No vendor patch is available at time of analysis. Monitor vendor advisories for updates. Hash passwords with strong algorithms (bcrypt, argon2), encrypt credentials in transit and at rest, never log credentials.

CVE-2012-0938 MEDIUM POC
6.5 Aug 14

Multiple SQL injection vulnerabilities in TestLink 1.9.3, 1.8.5b, and earlier allow remote authenticated users with cert

CVE-2014-5308 CRITICAL POC
9.0 Oct 08

Multiple SQL injection vulnerabilities in TestLink 1.9.11 allow remote authenticated users to execute arbitrary SQL comm

CVE-2020-8638 CRITICAL POC
9.8 Apr 03

A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in planUrgency.php v

CVE-2020-8637 CRITICAL POC
9.8 Apr 03

A SQL injection vulnerability in TestLink 1.9.20 allows attackers to execute arbitrary SQL commands in dragdroptreenodes

CVE-2022-35196 HIGH POC
8.8 Sep 20

TestLink v1.9.20 was discovered to contain a Cross-Site Request Forgery (CSRF) via /lib/plan/planView.php. Rated high se

CVE-2020-8639 HIGH POC
8.8 Apr 03

An unrestricted file upload vulnerability in keywordsImport.php in TestLink 1.9.20 allows remote attackers to execute ar

CVE-2020-8841 HIGH POC
8.8 Feb 10

An issue was discovered in TestLink 1.9.19. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable,

CVE-2014-8081 HIGH POC
7.5 Oct 31

lib/execute/execSetResults.php in TestLink before 1.9.13 allows remote attackers to conduct PHP object injection attacks

CVE-2024-46097 HIGH POC
8.1 Sep 27

TestLink 1.9.20 is vulnerable to Incorrect Access Control in the TestPlan editing section. Rated high severity (CVSS 8.1

CVE-2023-50110 HIGH POC
7.5 Dec 30

TestLink through 1.9.20 allows type juggling for authentication bypass because === is not used. Rated high severity (CVS

CVE-2020-12273 HIGH POC
7.5 Apr 27

In TestLink 1.9.20, a crafted login.php viewer parameter exposes cleartext credentials. Rated high severity (CVSS 7.5),

CVE-2018-7668 HIGH POC
7.5 Mar 05

TestLink through 1.9.16 allows remote attackers to read arbitrary attachments via a modified ID field to /lib/attachment

Share

CVE-2019-10378 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy