GHSA-m3wv-fr8v-fmh7

Suggest an improvement
Source
https://github.com/advisories/GHSA-m3wv-fr8v-fmh7
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-m3wv-fr8v-fmh7/GHSA-m3wv-fr8v-fmh7.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-m3wv-fr8v-fmh7
Aliases
Published
2022-05-13T01:41:14Z
Modified
2024-02-17T05:32:32.795820Z
Severity
  • 7.8 (High) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Jenkins Build-Publisher plugin has Insufficiently Protected Credentials
Details

Jenkins Build-Publisher plugin version 1.21 and earlier stores credentials to other Jenkins instances in the file hudson.plugins.build_publisher.BuildPublisher.xml in the Jenkins master home directory. These credentials were stored unencrypted, allowing anyone with local file system access to access them. Additionally, the credentials were also transmitted in plain text as part of the configuration form. This could result in exposure of the credentials through browser extensions, cross-site scripting vulnerabilities, and similar situations. Build-Publisher Plugin 1.22 encrypts the credentials on disk, and only transmits their encrypted form to users viewing the configuration form.

Database specific 
{
    "nvd_published_at": "2018-01-26T02:29:00Z",
    "cwe_ids": [
        "CWE-522"
    ],
    "severity": "HIGH",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-06T21:55:17Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:build-publisher

Package

Name
org.jenkins-ci.plugins:build-publisher
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/build-publisher

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.22

Affected versions

1.*

1.11
1.12
1.13
1.14
1.15
1.16
1.17
1.18
1.19
1.20
1.21

Database specific 

{
    "last_known_affected_version_range": "<= 1.21"
}