GHSA-4fjc-fwj2-7xfg

Source

https://github.com/advisories/GHSA-4fjc-fwj2-7xfg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-4fjc-fwj2-7xfg/GHSA-4fjc-fwj2-7xfg.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-4fjc-fwj2-7xfg

Aliases

CVE-2020-2149

Published

2022-05-24T17:10:28Z

Modified

2023-11-08T04:02:53.192670Z

Severity

3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Credentials transmitted in plain text by Repository Connector Plugin

Details

Repository Connector Plugin stores credentials in its global configuration file org.jvnet.hudson.plugins.repositoryconnector.RepositoryConfiguration.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Repository Connector Plugin 1.2.6 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Database specific

{
    "nvd_published_at": "2020-03-09T16:15:00Z",
    "github_reviewed_at": "2023-01-14T05:25:05Z",
    "severity": "LOW",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-319"
    ]
}

References

Affected packages

Maven / org.jenkins-ci.plugins:repository-connector

Package

Name: org.jenkins-ci.plugins:repository-connector; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/repository-connector

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.0

Affected versions

1.*

1.0.0

1.0.1

1.1.0

1.1.1

1.1.2

1.1.3

1.2.3

1.2.4

1.2.5

1.2.6

1.3.1

Database specific

{
    "last_known_affected_version_range": "<= 1.2.6"
}