GHSA-c4jr-vjm4-27hq
Suggest an improvement- Source
- https://github.com/advisories/GHSA-c4jr-vjm4-27hq
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-c4jr-vjm4-27hq/GHSA-c4jr-vjm4-27hq.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-c4jr-vjm4-27hq
- Aliases
-
- CVE-2023-25721
- Published
- 2023-03-28T21:30:20Z
- Modified
- 2023-11-08T04:11:54.698150Z
- Severity
-
- 4.4 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
- Summary
- Veracode Scan Jenkins Plugin vulnerable to information disclosure
- Details
-
Veracode Scan Jenkins Plugin before 23.3.19.0 is vulnerable to information disclosure of proxy credentials in job logs under specific configurations.
Users are potentially affected if they: - are using Veracode Scan Jenkins Plugin prior to 23.3.19.0 - AND have configured Veracode Scan to run on remote agent jobs - AND have enabled the "Connect using proxy" option - AND have configured the proxy settings with proxy credentials - AND a Jenkins admin has enabled debug in global system settings.
By default, even in this configuration only the job owner or Jenkins admin can view the job log.
- Database specific
{ "nvd_published_at": "2023-03-28T20:15:00Z", "github_reviewed_at": "2023-04-05T19:40:36Z", "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-532" ] }- References
-
- https://nvd.nist.gov/vuln/detail/CVE-2023-25721
- https://community.veracode.com/s/spotlight/frequently-asked-questions-for-cve-2023-25721-and-cve-2023-25722-MCFT34TH6OGRFR7F7JGDQQP4TNZE
- https://docs.veracode.com/updates/r/c_all_int#veracode-jenkins-plugin-233190
- https://github.com/jenkinsci/veracode-scan-plugin
- https://veracode.com
Affected packages
Maven / com.veracode.jenkins:veracode-scan
Package
- Name
- com.veracode.jenkins:veracode-scan
- View open source insights on deps.dev
- Purl
- pkg:maven/com.veracode.jenkins/veracode-scan