GHSA-h27g-72mh-9m33

Source

https://github.com/advisories/GHSA-h27g-72mh-9m33

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-h27g-72mh-9m33/GHSA-h27g-72mh-9m33.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-h27g-72mh-9m33

Aliases

CVE-2019-10414

Published

2022-05-24T16:56:46Z

Modified

2024-02-16T08:19:24.573476Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Jenkins Git Changelog Plugin has Insufficiently Protected Credentials

Details

Git Changelog Plugin stored MediaWiki and Jira passwords unencrypted in job config.xml files on the Jenkins controller. These passwords could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Git Changelog Plugin now stores these passwords encrypted. Existing jobs need to have their configuration saved for existing plain text passwords to be overwritten.

Database specific

{
    "nvd_published_at": "2019-09-25T16:15:00Z",
    "cwe_ids": [
        "CWE-522"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-02-23T20:32:21Z"
}

References

Affected packages

Maven / de.wellnerbou.jenkins:git-changelog

Package

Name: de.wellnerbou.jenkins:git-changelog; View open source insights on deps.dev
Purl: pkg:maven/de.wellnerbou.jenkins/git-changelog

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.18

Affected versions

1.*

1.1

1.2

1.4

1.5

1.6

1.7

1.8

1.10

1.11

1.12

1.13

1.14

1.15

1.16

1.17

1.18

1.19

1.20

1.21

1.22

1.23

1.26

1.27

1.28

1.29

1.30

1.31

1.32

1.33

1.35

1.36

1.37

1.39

1.40

1.41

1.42

1.45

1.46

1.47

1.48

1.49

1.50

1.51

1.52

1.53

1.54

1.55

1.56

1.57

2.*

2.0

2.1

2.2

2.3

2.4

2.5

2.6

2.7

2.8

2.9

2.10

2.11

2.12

2.13

2.14

2.15

2.16

2.17