CVE-2013-6372: Jenkins Subversion Plugin Stores Credentials with Base64 Encoding

May 17, 2022 (updated March 13, 2025)

The Subversion plugin before 1.54 for Jenkins stores credentials using base64 encoding, which allows local users to obtain passwords and SSH private keys by reading a subversion.credentials file.

References

access.redhat.com/errata/RHBA-2014:1630
access.redhat.com/security/cve/CVE-2013-6372
bugzilla.redhat.com/show_bug.cgi?id=1032391
github.com/advisories/GHSA-c4fr-gx5w-8qf2
github.com/jenkinsci/subversion-plugin
github.com/jenkinsci/subversion-plugin/commit/7d4562d6f7e40de04bbe29577b51c79f07d05ba6
nvd.nist.gov/vuln/detail/CVE-2013-6372
wiki.jenkins-ci.org/display/SECURITY/Jenkins+Security+Advisory+2013-11-20

Detect and mitigate CVE-2013-6372 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →