GHSA-87pj-9q82-m9qh

Source

https://github.com/advisories/GHSA-87pj-9q82-m9qh

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-87pj-9q82-m9qh/GHSA-87pj-9q82-m9qh.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-87pj-9q82-m9qh

Aliases

CVE-2019-1003018

Published

2022-05-13T01:31:35Z

Modified

2024-02-16T07:56:41.201767Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator

Summary

GitHub Authentication Plugin showed plain text client secret in configuration form

Details

An exposure of sensitive information vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret.

Database specific

{
    "nvd_published_at": "2019-02-06T16:29:00Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2024-01-09T22:48:15Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:github-oauth

Package

Name: org.jenkins-ci.plugins:github-oauth; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/github-oauth

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

0.31

Affected versions

-rc586.*

-rc586.88708ce878fc

0.*

0.1

0.2

0.3

0.4

0.5

0.6

0.7

0.8

0.8.1

0.9

0.10

0.11

0.12

0.13

0.13.1

0.14

0.16

0.17

0.18

0.19

0.20

0.21

0.21.1

0.21.2

0.22

0.22.1

0.22.2

0.22.3

0.23

0.24

0.25

0.26

0.27

0.28.1

0.29

Database specific

{
    "last_known_affected_version_range": "<= 0.29"
}