GHSA-3858-58w9-wpcg

Suggest an improvement
Source
https://github.com/advisories/GHSA-3858-58w9-wpcg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3858-58w9-wpcg/GHSA-3858-58w9-wpcg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-3858-58w9-wpcg
Aliases
  • CVE-2019-1003021
Published
2022-05-13T01:31:34Z
Modified
2024-02-16T08:09:05.717774Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Jenkins OpenId Connect Authentication Plugin showed plain text client secret in configuration form
Details

An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret.

Database specific 
{
    "nvd_published_at": "2019-02-06T16:29:00Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-30T22:28:39Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:oic-auth

Package

Name
org.jenkins-ci.plugins:oic-auth
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/oic-auth

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.5

Affected versions

1.*

1.0
1.1
1.2
1.3
1.4

Database specific 

{
    "last_known_affected_version_range": "<= 1.4"
}