GHSA-36fg-whr2-g999

Source

https://github.com/advisories/GHSA-36fg-whr2-g999

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-36fg-whr2-g999/GHSA-36fg-whr2-g999.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-36fg-whr2-g999

Aliases

CVE-2023-40340

Published

2023-08-16T15:30:18Z

Modified

2024-12-05T05:38:41.919879Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Jenkins NodeJS Plugin improper credential masking vulnerability

Details

Jenkins NodeJS Plugin integrates with Config File Provider Plugin to specify custom NPM settings, including credentials for authentication, in a Npm config file.

NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs.

NodeJS Plugin 1.6.1 masks credentials specified in the Npm config file in Pipeline build logs.

Database specific

{
    "nvd_published_at": "2023-08-16T15:15:11Z",
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-08-16T21:13:10Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:nodejs

Package

Name: org.jenkins-ci.plugins:nodejs; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/nodejs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.6.1

Affected versions

0.*

0.2

0.2.1

0.2.2

1.*

1.0

1.0.1

1.1.0

1.1.1

1.1.2

1.1.3

1.2.0

1.2.1

1.2.2

1.2.3

1.2.4

1.2.5

1.2.6

1.2.7

1.2.8

1.2.9

1.3.0

1.3.1

1.3.2

1.3.3

1.3.4

1.3.5

1.3.6

1.3.7

1.3.8

1.3.9

1.3.10

1.3.11

1.4.0

1.4.1

1.4.2

1.4.3

1.5.0

1.5.1

1.6.0

1.6.0.1