GHSA-98m4-m2c3-qxgq

Suggest an improvement
Source
https://github.com/advisories/GHSA-98m4-m2c3-qxgq
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-98m4-m2c3-qxgq/GHSA-98m4-m2c3-qxgq.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-98m4-m2c3-qxgq
Aliases
Published
2022-05-24T17:01:40Z
Modified
2024-02-16T08:19:19.005816Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Jenkins JIRA Plugin allows users to select and use credentials with System scope
Details

Jenkins JIRA Plugin 3.0.10 and earlier does not declare the correct (folder) scope for per-folder Jira site definitions, allowing users to select and use credentials with System scope. Jira Plugin 3.0.11 defines the appropriate folder context for credential lookup. As a side effect, existing per-folder Jira sites may lose access to already configured System-scoped credentials, as if no credential was specified in the first place.

Database specific
{
    "nvd_published_at": "2019-11-21T15:15:00Z",
    "cwe_ids": [
        "CWE-668"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-06T21:56:30Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:jira

Package

Name
org.jenkins-ci.plugins:jira
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/jira

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.0.11

Affected versions

1.*

1.27
1.28
1.29
1.30
1.31
1.32
1.33
1.34
1.35
1.36
1.37
1.38
1.39
1.41

2.*

2.0
2.0.2
2.0.3
2.1
2.2
2.2.1
2.3
2.3.1
2.4
2.4.2
2.5
2.5.1
2.5.2

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.6.1
3.0.7
3.0.8
3.0.9
3.0.10

Database specific

{
    "last_known_affected_version_range": "<= 3.0.10"
}