GHSA-mf4p-wjrm-cmjp

Suggest an improvement
Source
https://github.com/advisories/GHSA-mf4p-wjrm-cmjp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-mf4p-wjrm-cmjp/GHSA-mf4p-wjrm-cmjp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-mf4p-wjrm-cmjp
Aliases
  • CVE-2022-43426
Published
2022-10-19T19:00:18Z
Modified
2023-11-08T04:10:43.518830Z
Severity
  • 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
Summary
AWS secrets displayed without masking by Jenkins S3 Explorer Plugin
Details

S3 Explorer Plugin stores AWSSECRETACCESS_KEY in its global configuration file s3explorer.xml on the Jenkins controller as part of its configuration.

While this secret is stored encrypted on disk, in S3 Explorer Plugin 1.0.8 and earlier the global configuration form does not mask the AWSSECRETACCESS_KEY form field, increasing the potential for attackers to observe and capture it.

Database specific 
{
    "nvd_published_at": "2022-10-19T16:15:00Z",
    "github_reviewed_at": "2022-10-19T21:22:54Z",
    "severity": "LOW",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-549"
    ]
}
References

Affected packages

Maven / io.jenkins.plugins:s3explorer

Package

Name
io.jenkins.plugins:s3explorer
View open source insights on deps.dev
Purl
pkg:maven/io.jenkins.plugins/s3explorer

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Last affected
1.0.8

Affected versions

1.*

1.0.7
1.0.8