GHSA-qmhq-876f-cr65
Suggest an improvement- Source
- https://github.com/advisories/GHSA-qmhq-876f-cr65
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/11/GHSA-qmhq-876f-cr65/GHSA-qmhq-876f-cr65.json
- JSON Data
- https://api.osv.dev/v1/vulns/GHSA-qmhq-876f-cr65
- Aliases
- Published
- 2023-11-29T15:30:21Z
- Modified
- 2024-02-16T08:10:53.464806Z
- Severity
-
- 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
- Summary
- Jenkins Jira Plugin vulnerable to exposure of system-scoped credentials
- Details
-
Jenkins Jira Plugin 3.11 and earlier does not set the appropriate context for credentials lookup, allowing the use of system-scoped credentials otherwise reserved for the global configuration.
This allows attackers with Item/Configure permission to access and capture credentials they are not entitled to.
Jira Plugin 3.12 defines the appropriate context for credentials lookup.
- Database specific
{ "nvd_published_at": "2023-11-29T14:15:07Z", "cwe_ids": [ "CWE-522" ], "severity": "MODERATE", "github_reviewed": true, "github_reviewed_at": "2023-11-29T21:32:10Z" }- References
Affected packages
Maven / org.jenkins-ci.plugins:jira
Package
- Name
- org.jenkins-ci.plugins:jira
- View open source insights on deps.dev
- Purl
- pkg:maven/org.jenkins-ci.plugins/jira
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed3.12
Affected versions
1.*
1.27
1.28
1.29
1.30
1.31
1.32
1.33
1.34
1.35
1.36
1.37
1.38
1.39
1.41
2.*
2.0
2.0.2
2.0.3
2.1
2.2
2.2.1
2.3
2.3.1
2.4
2.4.2
2.5
2.5.1
2.5.2
3.*
3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.6.1
3.0.7
3.0.8
3.0.9
3.0.10
3.0.11
3.0.12
3.0.13
3.0.14
3.0.15
3.0.16
3.0.17
3.0.18
3.1.0
3.1.1
3.1.2
3.1.3
3.2
3.2.1
3.3
3.4
3.5
3.6
3.6.1
3.7
3.7.1
3.8
3.9
3.10
3.11