GHSA-2rrx-q65f-8945

Source

https://github.com/advisories/GHSA-2rrx-q65f-8945

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-2rrx-q65f-8945/GHSA-2rrx-q65f-8945.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-2rrx-q65f-8945

Aliases

CVE-2020-2155

Published

2022-05-24T17:10:29Z

Modified

2023-11-08T04:02:53.677946Z

Severity

3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Credentials transmitted in plain text by OpenShift Deployer Plugin

Details

OpenShift Deployer Plugin stores credentials in its global configuration file org.jenkinsci.plugins.openshift.DeployApplication.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by OpenShift Deployer Plugin 1.2.0 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Database specific

{
    "nvd_published_at": "2020-03-09T16:15:00Z",
    "github_reviewed_at": "2023-01-14T05:25:30Z",
    "severity": "LOW",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-319"
    ]
}

References

Affected packages

Maven / org.jenkins-ci.plugins:openshift-deployer

Package

Name: org.jenkins-ci.plugins:openshift-deployer; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/openshift-deployer

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.2.0

Affected versions

1.*

1.0.1

1.0.2

1.0.3

1.0.4

1.1.0

1.1.1

1.2.0