GHSA-fjrv-vx9m-4jpj

Suggest an improvement
Source
https://github.com/advisories/GHSA-fjrv-vx9m-4jpj
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-fjrv-vx9m-4jpj/GHSA-fjrv-vx9m-4jpj.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-fjrv-vx9m-4jpj
Aliases
  • CVE-2023-25722
Published
2023-03-28T21:30:20Z
Modified
2023-11-08T04:11:54.761213Z
Severity
  • 5.5 (Medium) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Veracode Scan Jenkins Plugin vulnerable to information disclosure
Details

Veracode Scan Jenkins Plugin before 23.3.19.0, when configured for remote agent jobs, invokes the Veracode Java API Wrapper in a manner that allows local users (with OS-level access of the Jenkins remote) to discover Veracode API credentials by listing the process and its arguments.

Database specific 
{
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-214"
    ],
    "severity": "MODERATE",
    "github_reviewed_at": "2023-04-05T20:19:51Z",
    "nvd_published_at": "2023-03-28T20:15:00Z"
}
References

Affected packages

Maven / com.veracode.jenkins:veracode-scan

Package

Name
com.veracode.jenkins:veracode-scan
View open source insights on deps.dev
Purl
pkg:maven/com.veracode.jenkins/veracode-scan

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
23.3.19.0

Affected versions

1.*

1.0.5-alpha

20.*

20.6.10.0-alpha
20.6.10.0
20.6.10.2-alpha
20.9.11.0

21.*

21.2.12.0
21.6.13.0
21.7.14.0
21.8.15.0
21.9.16.0
21.12.17.0

22.*

22.2.17.1
22.5.17.2
22.6.18.0