GHSA-98m4-m2c3-qxgq

Source

https://github.com/advisories/GHSA-98m4-m2c3-qxgq

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-98m4-m2c3-qxgq/GHSA-98m4-m2c3-qxgq.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-98m4-m2c3-qxgq

Aliases

CVE-2019-16541

Published

2022-05-24T17:01:40Z

Modified

2024-02-16T08:19:19.005816Z

Severity

6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator

Summary

Jenkins JIRA Plugin allows users to select and use credentials with System scope

Details

Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site definitions, allowing users to select and use credentials with System scope. Jira Plugin 3.0.11 defines the appropriate folder context for credential lookup. As a side effect, existing per-folder Jira sites may lose access to already configured System-scoped credentials, as if no credential was specified in the first place.

Database specific

{
    "nvd_published_at": "2019-11-21T15:15:00Z",
    "severity": "MODERATE",
    "github_reviewed_at": "2022-12-06T21:56:30Z",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-668"
    ]
}

References

Affected packages

Maven / org.jenkins-ci.plugins:jira

Package

Name: org.jenkins-ci.plugins:jira; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/jira

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3.0.11

Affected versions

1.*

1.27

1.28

1.29

1.30

1.31

1.32

1.33

1.34

1.35

1.36

1.37

1.38

1.39

1.41

2.*

2.0

2.0.2

2.0.3

2.1

2.2

2.2.1

2.3

2.3.1

2.4

2.4.2

2.5

2.5.1

2.5.2

3.*

3.0.0

3.0.1

3.0.2

3.0.3

3.0.4

3.0.5

3.0.6

3.0.6.1

3.0.7

3.0.8

3.0.9

3.0.10

Database specific

last_known_affected_version_range

"<= 3.0.10"