GHSA-6fh3-xhwg-7hfh

Source

https://github.com/advisories/GHSA-6fh3-xhwg-7hfh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-6fh3-xhwg-7hfh/GHSA-6fh3-xhwg-7hfh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-6fh3-xhwg-7hfh

Aliases

CVE-2020-2150

Published

2022-05-24T17:10:28Z

Modified

2023-11-08T04:02:53.254210Z

Severity

3.1 (Low) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Jenkins Sonar Quality Gates Plugin transmits credentials in plain text during configuration

Details

Sonar Quality Gates Plugin stores credentials in its global configuration file org.quality.gates.jenkins.plugin.GlobalConfig.xml on the Jenkins controller as part of its configuration. While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Sonar Quality Gates Plugin 1.3.1 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Database specific

{
    "nvd_published_at": "2020-03-09T16:15:00Z",
    "github_reviewed_at": "2023-01-06T16:56:35Z",
    "severity": "LOW",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-319"
    ]
}

References

Affected packages

Maven / org.jenkins-ci.plugins:sonar-quality-gates

Package

Name: org.jenkins-ci.plugins:sonar-quality-gates; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/sonar-quality-gates

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

1.3.1

Affected versions

1.*

1.0.4

1.0.5

1.0.6

1.1.0

1.1.1

1.1.2

1.2.0

1.3.0

1.3.1