GHSA-rm7r-xv53-xwc3

Source

https://github.com/advisories/GHSA-rm7r-xv53-xwc3

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-rm7r-xv53-xwc3/GHSA-rm7r-xv53-xwc3.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-rm7r-xv53-xwc3

Aliases

CVE-2020-2314

Published

2022-05-24T17:33:08Z

Modified

2023-11-08T04:03:04.441533Z

Severity

3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Password stored in plain text by Jenkins AppSpider Plugin

Details

AppSpider Plugin 1.0.12 and earlier stores a password unencrypted in its global configuration file com.rapid7.jenkinspider.PostBuildScan.xml on the Jenkins controller as part of its configuration.

This password can be viewed by users with access to the Jenkins controller file system.

AppSpider Plugin 1.0.13 stores a password encrypted once its configuration is saved again.

Database specific

{
    "nvd_published_at": "2020-11-04T15:15:00Z",
    "github_reviewed_at": "2022-12-22T13:41:28Z",
    "severity": "LOW",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-256",
        "CWE-522"
    ]
}

References

Affected packages

Maven / com.rapid7:jenkinsci-appspider-plugin

Package

Name: com.rapid7:jenkinsci-appspider-plugin; View open source insights on deps.dev
Purl: pkg:maven/com.rapid7/jenkinsci-appspider-plugin

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.0.13

Affected versions

1.*

1.0.2

1.0.3

1.0.4

1.0.5

1.0.6

1.0.7

1.0.8

1.0.10

1.0.11

1.0.12