GHSA-mmqx-g78c-hvfj

Source

https://github.com/advisories/GHSA-mmqx-g78c-hvfj

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-mmqx-g78c-hvfj/GHSA-mmqx-g78c-hvfj.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-mmqx-g78c-hvfj

Aliases

CVE-2019-1003039

Published

2022-05-13T01:15:09Z

Modified

2024-02-16T08:23:09.609660Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Jenkins AppDynamics Dashboard Plugin has insufficiently protected credentials

Details

Jenkins AppDynamics Dashboard Plugin stored username and password in its configuration unencrypted in jobs' config.xml files on the Jenkins controller. This password could be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

While masked from view using a password form field, the password was transferred in plain text to users when accessing the job configuration form.

AppDynamics Dashboard Plugin now stores the password encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text. Existing jobs need to have their configuration saved for existing plain text passwords to be overwritten.

Database specific

{
    "nvd_published_at": "2019-03-08T21:29:00Z",
    "cwe_ids": [
        "CWE-522"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-10-25T23:01:19Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:appdynamics-dashboard

Package

Name: org.jenkins-ci.plugins:appdynamics-dashboard; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/appdynamics-dashboard

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.15

Affected versions

1.*

1.0.0

1.0.1

1.0.6

1.0.7

1.0.13

1.0.14

Database specific

{
    "last_known_affected_version_range": "<= 1.0.14"
}