Vulnerability Details : CVE-2013-6372
The Subversion plugin before 1.54 for Jenkins stores credentials using base64 encoding, which allows local users to obtain passwords and SSH private keys by reading a subversion.credentials file.
Products affected by CVE-2013-6372
- cpe:2.3:a:jenkins-ci:subversion-plugin:*:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.49:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.47:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.45:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.40:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.38:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.31:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.29:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.22:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.20:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.15:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.13:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.6:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.4:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.48:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.46:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.39:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.37:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.32:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.30:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.23:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.21:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.14:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.12:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.7:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.5:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.44:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.43:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.42:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.41:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.28:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.27:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.26:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.25:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.24:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.11:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.10:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.9:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.8:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.52:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.51:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.50:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.36:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.35:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.34:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.33:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.19:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.18:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.17:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.16:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.3:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.2:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.1:*:*:*:*:*:*:*
- cpe:2.3:a:jenkins-ci:subversion-plugin:1.0:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2013-6372
0.04%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 6 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2013-6372
Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
---|---|---|---|---|---|---|
2.1
|
LOW | AV:L/AC:L/Au:N/C:P/I:N/A:N |
3.9
|
2.9
|
NIST |
CWE ids for CVE-2013-6372
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2013-6372
-
https://bugzilla.redhat.com/show_bug.cgi?id=1032391
1032391 – (CVE-2013-6372) CVE-2013-6372 Jenkins: insecure storage of passwords in Subversion plugin (SECURITY-58)
-
https://wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-11-20
Jenkins Security Advisory 2013-11-20 - Security Advisories - Jenkins WikiVendor Advisory
-
https://github.com/jenkinsci/subversion-plugin/commit/7d4562d6f7e40de04bbe29577b51c79f07d05ba6
[FIXED SECURITY-58] · jenkinsci/subversion-plugin@7d4562d · GitHubExploit;Patch
Jump to