GHSA-hx3r-qwxv-5jw9

Source

https://github.com/advisories/GHSA-hx3r-qwxv-5jw9

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/03/GHSA-hx3r-qwxv-5jw9/GHSA-hx3r-qwxv-5jw9.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-hx3r-qwxv-5jw9

Aliases

CVE-2022-27206

Published

2022-03-16T00:00:43Z

Modified

2023-11-08T04:08:57.189287Z

Severity

3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Client Secret stored in plain text by Jenkins GitLab Authentication Plugin

Details

Jenkins GitLab Authentication Plugin 1.13 and earlier stores the GitLab client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

This client secret can be viewed by users with access to the Jenkins controller file system.

Database specific

{
    "nvd_published_at": "2022-03-15T17:15:00Z",
    "github_reviewed_at": "2022-11-30T20:15:12Z",
    "severity": "LOW",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-311",
        "CWE-522"
    ]
}

References

Affected packages

Maven / org.jenkins-ci.plugins:gitlab-oauth

Package

Name: org.jenkins-ci.plugins:gitlab-oauth; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/gitlab-oauth

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.14

Affected versions

1.*

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.9

1.1

1.2

1.3

1.4

1.5

1.6

1.7

1.8

1.9

1.10

1.11

1.12

1.13