Common Weakness Enumeration

CWE-256

Allowed

Plaintext Storage of a Password

Abstraction: Base · Status: Incomplete

The product stores a password in plaintext within resources such as memory or files.

397 vulnerabilities reference this CWE, most recent first.

GHSA-4VRP-PMWP-P4H4

Vulnerability from github – Published: 2025-04-23 18:30 – Updated: 2025-04-23 18:30
VLAI
Details

BEC Technologies Multiple Routers Cleartext Password Storage Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of BEC Technologies routers. Authentication is required to exploit this vulnerability.

The specific flaw exists within the web-based user interface. The issue results from storing credentials in a recoverable format. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-25986.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-2770"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-312"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-04-23T17:16:55Z",
    "severity": "MODERATE"
  },
  "details": "BEC Technologies Multiple Routers Cleartext Password Storage Information Disclosure Vulnerability. This vulnerability allows remote attackers to disclose sensitive information on affected installations of BEC Technologies routers. Authentication is required to exploit this vulnerability.\n\nThe specific flaw exists within the web-based user interface. The issue results from storing credentials in a recoverable format. An attacker can leverage this vulnerability to disclose stored credentials, leading to further compromise. Was ZDI-CAN-25986.",
  "id": "GHSA-4vrp-pmwp-p4h4",
  "modified": "2025-04-23T18:30:59Z",
  "published": "2025-04-23T18:30:59Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-2770"
    },
    {
      "type": "WEB",
      "url": "https://www.zerodayinitiative.com/advisories/ZDI-25-186"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-4WX5-C723-XVWV

Vulnerability from github – Published: 2022-05-24 17:15 – Updated: 2022-12-16 23:00
VLAI
Summary
Credentials stored in plain text by Jenkins Copr Plugin
Details

Copr Plugin 0.3 and earlier stores credentials unencrypted in job config.xml files as part of its configuration. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system.

Copr Plugin 0.6.1 stores these credentials encrypted. This change is effective once the job configuration is saved the next time.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.3"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.fedoraproject.jenkins.plugins:copr"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.6.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2177"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-16T23:00:33Z",
    "nvd_published_at": "2020-04-16T19:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Copr Plugin 0.3 and earlier stores credentials unencrypted in job `config.xml` files as part of its configuration. These credentials can be viewed by users with Extended Read permission or access to the Jenkins controller file system.\n\nCopr Plugin 0.6.1 stores these credentials encrypted. This change is effective once the job configuration is saved the next time.",
  "id": "GHSA-4wx5-c723-xvwv",
  "modified": "2022-12-16T23:00:33Z",
  "published": "2022-05-24T17:15:35Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2177"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/copr-plugin/commit/23ea581364d64645cd90d2c5d97a4b94781f61f9"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/copr-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-04-16/#SECURITY-1556"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/04/16/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Credentials stored in plain text by Jenkins Copr Plugin"
}

GHSA-4X65-4FJX-R7M6

Vulnerability from github – Published: 2023-01-26 21:30 – Updated: 2023-02-03 20:39
VLAI
Summary
Plaintext storage of Access Token in Jenkins GitHub Pull Request Coverage Status Plugin
Details

Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:github-pr-coverage-status"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "2.2.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-24442"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-312"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-27T01:03:17Z",
    "nvd_published_at": "2023-01-26T21:18:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.",
  "id": "GHSA-4x65-4fjx-r7m6",
  "modified": "2023-02-03T20:39:15Z",
  "published": "2023-01-26T21:30:18Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-24442"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2767"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Plaintext storage of Access Token in Jenkins GitHub Pull Request Coverage Status Plugin"
}

GHSA-4XVG-4W2R-QPH8

Vulnerability from github – Published: 2026-01-23 00:31 – Updated: 2026-01-23 00:31
VLAI
Details

An attacker could decrypt sensitive data, impersonate legitimate users or devices, and potentially gain access to network resources for lateral attacks.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-25051"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-01-22T23:15:48Z",
    "severity": "MODERATE"
  },
  "details": "An attacker could decrypt sensitive data, impersonate legitimate users \nor devices, and potentially gain access to network resources for lateral\n attacks.",
  "id": "GHSA-4xvg-4w2r-qph8",
  "modified": "2026-01-23T00:31:17Z",
  "published": "2026-01-23T00:31:17Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-25051"
    },
    {
      "type": "WEB",
      "url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-022-02.json"
    },
    {
      "type": "WEB",
      "url": "https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-02"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ]
}

GHSA-528J-9R78-WFFX

Vulnerability from github – Published: 2022-10-06 23:17 – Updated: 2023-03-30 14:46
VLAI
Summary
etcd user credentials are stored in WAL logs in plaintext
Details

Vulnerability type

Data Exposure

Workarounds

The etcd assumes that the on disk files are secure. The possible fixes have been provided, however, it is the responsibility of the etcd users to make sure that the etcd server WAL log files are secure. The etcd doesn't encrypt key/value data stored on disk drives.

Detail

User credentials (login and password) are stored in WAL entries on each user authentication. If the WAL log files are not secure, it can potentially expose sensitive information.

References

Find out more on this vulnerability in the security audit report

For more information

If you have any questions or comments about this advisory: * Contact the etcd security committee

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Go",
        "name": "go.etcd.io/etcd/client/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "3.4.0"
            },
            {
              "fixed": "3.4.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    },
    {
      "package": {
        "ecosystem": "Go",
        "name": "go.etcd.io/etcd/client/v3"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "3.3.23"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-10-06T23:17:24Z",
    "nvd_published_at": null,
    "severity": "LOW"
  },
  "details": "### Vulnerability type\nData Exposure\n\n### Workarounds\nThe etcd assumes that the on disk files are secure. The possible fixes have been provided, however, it is the responsibility of the etcd users to make sure that the etcd server WAL log files are secure. The [etcd doesn\u0027t encrypt key/value data stored on disk drives](https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/security.md#does-etcd-encrypt-data-stored-on-disk-drives).\n\n### Detail\nUser credentials (login and password) are stored in WAL entries on each user authentication. If the WAL log files are not secure, it can potentially expose sensitive information.\n\n### References\nFind out more on this vulnerability in the [security audit report](https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf)\n\n### For more information\nIf you have any questions or comments about this advisory:\n* Contact the [etcd security committee](https://github.com/etcd-io/etcd/blob/master/security/security-release-process.md#product-security-committee-psc)",
  "id": "GHSA-528j-9r78-wffx",
  "modified": "2023-03-30T14:46:31Z",
  "published": "2022-10-06T23:17:24Z",
  "references": [
    {
      "type": "WEB",
      "url": "https://github.com/etcd-io/etcd/security/advisories/GHSA-528j-9r78-wffx"
    },
    {
      "type": "WEB",
      "url": "https://github.com/etcd-io/etcd/issues/10132"
    },
    {
      "type": "WEB",
      "url": "https://github.com/etcd-io/etcd/pull/11818"
    },
    {
      "type": "WEB",
      "url": "https://github.com/etcd-io/etcd/commit/585814082b8c8b7db272b30b365b81d27df4a4cb"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/etcd-io/etcd"
    },
    {
      "type": "WEB",
      "url": "https://github.com/etcd-io/etcd/blob/master/Documentation/op-guide/security.md#does-etcd-encrypt-data-stored-on-disk-drives"
    },
    {
      "type": "WEB",
      "url": "https://github.com/etcd-io/etcd/blob/master/security/SECURITY_AUDIT.pdf"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "etcd user credentials are stored in WAL logs in plaintext"
}

GHSA-53JW-4GWH-M8CM

Vulnerability from github – Published: 2022-05-24 16:57 – Updated: 2023-01-28 01:16
VLAI
Summary
Jenkins LDAP Email Plugin shows plain text password in configuration form
Details

Jenkins LDAP Email Plugin transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.mtvi.plateng.hudson:ldapemail"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "0.8"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2019-10434"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-28T01:16:34Z",
    "nvd_published_at": "2019-10-01T14:15:00Z",
    "severity": "LOW"
  },
  "details": "Jenkins LDAP Email Plugin transmits configured credentials in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.",
  "id": "GHSA-53jw-4gwh-m8cm",
  "modified": "2023-01-28T01:16:34Z",
  "published": "2022-05-24T16:57:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2019-10434"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/ldapemail-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2019-10-01/#SECURITY-1515"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2019/10/01/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [],
  "summary": "Jenkins LDAP Email Plugin shows plain text password in configuration form "
}

GHSA-54M9-H7QP-FWVG

Vulnerability from github – Published: 2022-05-24 17:08 – Updated: 2023-01-05 21:46
VLAI
Summary
Password stored in plain text by Applatix Plugin
Details

Jenkins Applatix Plugin 1.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.applatix.jenkins:applatix"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2020-2133"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-01-05T21:46:58Z",
    "nvd_published_at": "2020-02-12T15:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Applatix Plugin 1.1 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.",
  "id": "GHSA-54m9-h7qp-fwvg",
  "modified": "2023-01-05T21:46:58Z",
  "published": "2022-05-24T17:08:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2020-2133"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/applatix-plugin"
    },
    {
      "type": "WEB",
      "url": "https://jenkins.io/security/advisory/2020-02-12/#SECURITY-1540"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2020/02/12/3"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Password stored in plain text by Applatix Plugin"
}

GHSA-567H-VQW8-C72F

Vulnerability from github – Published: 2025-11-14 15:30 – Updated: 2025-11-17 21:31
VLAI
Details

A vulnerability exists in QuickCMS version 6.8 where sensitive admin credentials are hardcoded in a configuration file and stored in plaintext. This flaw allows attackers with access to the source code or the server file system to retrieve authentication details, potentially leading to privilege escalation.

The vendor was notified early about this vulnerability, but didn't respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.

Show details on source website

{
  "affected": [],
  "aliases": [
    "CVE-2025-9982"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2025-11-14T14:15:47Z",
    "severity": "MODERATE"
  },
  "details": "A vulnerability exists in QuickCMS version 6.8 where sensitive admin credentials are hardcoded in a configuration file and stored in plaintext. This flaw allows attackers with access to the source code or the server file system to retrieve authentication details, potentially leading to privilege escalation.\n\nThe vendor was notified early about this vulnerability, but didn\u0027t respond with the details of vulnerability or vulnerable version range. Only version 6.8 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable.",
  "id": "GHSA-567h-vqw8-c72f",
  "modified": "2025-11-17T21:31:22Z",
  "published": "2025-11-14T15:30:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2025-9982"
    },
    {
      "type": "WEB",
      "url": "https://cert.pl/posts/2025/11/CVE-2025-9982"
    },
    {
      "type": "WEB",
      "url": "https://opensolution.org/cms-system-quick-cms.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X",
      "type": "CVSS_V4"
    }
  ]
}

GHSA-56HC-WF49-2H96

Vulnerability from github – Published: 2022-07-01 00:01 – Updated: 2022-12-09 05:00
VLAI
Summary
Plaintext Storage of a Password in Jenkins Deployment Dashboard Plugin
Details

Deployment Dashboard Plugin 1.0.10 and earlier stores a password unencrypted in its global configuration file de.codecentric.jenkins.dashboard.DashboardView.xml on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:ec2-deployment-dashboard"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "last_affected": "1.0.10"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2022-34799"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-07-11T20:58:44Z",
    "nvd_published_at": "2022-06-30T18:15:00Z",
    "severity": "LOW"
  },
  "details": "Deployment Dashboard Plugin 1.0.10 and earlier stores a password unencrypted in its global configuration file `de.codecentric.jenkins.dashboard.DashboardView.xml` on the Jenkins controller as part of its configuration. This password can be viewed by users with access to the Jenkins controller file system.",
  "id": "GHSA-56hc-wf49-2h96",
  "modified": "2022-12-09T05:00:15Z",
  "published": "2022-07-01T00:01:07Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2022-34799"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/ec2-deployment-dashboard"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2022-06-30/#SECURITY-2070"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Plaintext Storage of a Password in Jenkins Deployment Dashboard Plugin"
}

GHSA-5C2C-CVG6-GHJM

Vulnerability from github – Published: 2022-05-24 19:12 – Updated: 2023-10-27 15:59
VLAI
Summary
Password stored in plain text by Jenkins Nomad Plugin
Details

Jenkins Nomad Plugin 0.7.4 and earlier stores the passwords to authenticate against the Docker registry unencrypted in the global config.xml file on the Jenkins controller as part of its worker templates configuration.

These passwords can be viewed by users with access to the Jenkins controller file system.

Jenkins Nomad Plugin 0.7.5 stores the Docker passwords encrypted. This change is effective after Jenkins restarts.

Show details on source website

{
  "affected": [
    {
      "database_specific": {
        "last_known_affected_version_range": "\u003c= 0.7.4"
      },
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:nomad"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "0.7.5"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2021-21681"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-256",
      "CWE-522"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-16T15:47:12Z",
    "nvd_published_at": "2021-08-31T14:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Jenkins Nomad Plugin 0.7.4 and earlier stores the passwords to authenticate against the Docker registry unencrypted in the global `config.xml` file on the Jenkins controller as part of its worker templates configuration.\n\nThese passwords can be viewed by users with access to the Jenkins controller file system.\n\nJenkins Nomad Plugin 0.7.5 stores the Docker passwords encrypted. This change is effective after Jenkins restarts.",
  "id": "GHSA-5c2c-cvg6-ghjm",
  "modified": "2023-10-27T15:59:40Z",
  "published": "2022-05-24T19:12:36Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2021-21681"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/nomad-plugin/commit/d45123487d57c0e2a8a6869866b05362f690f511"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/nomad-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2021-08-31/#SECURITY-2396"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2021/08/31/1"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Password stored in plain text by Jenkins Nomad Plugin"
}

Mitigation
Architecture and Design

Avoid storing passwords in easily accessible locations.

Mitigation
Architecture and Design

Consider storing cryptographic hashes of passwords as an alternative to storing in plaintext.

Mitigation

A programmer might attempt to remedy the password management problem by obscuring the password with an encoding function, such as base 64 encoding, but this effort does not adequately protect the password because the encoding can be detected and decoded easily.

No CAPEC attack patterns related to this CWE.