GHSA-wcjj-qm5v-j4pc

Suggest an improvement
Source
https://github.com/advisories/GHSA-wcjj-qm5v-j4pc
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-wcjj-qm5v-j4pc/GHSA-wcjj-qm5v-j4pc.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wcjj-qm5v-j4pc
Aliases
Published
2022-11-16T12:00:23Z
Modified
2023-11-08T04:10:51.797677Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Jenkins Reverse Proxy Auth Plugin vulnerable due to plaintext storage of passwords
Details

Jenkins Reverse Proxy Auth Plugin versions 1.7.3 and earlier stores the LDAP manager password unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by attackers with access to the Jenkins controller file system.

Database specific 
{
    "nvd_published_at": "2022-11-15T20:15:00Z",
    "cwe_ids": [
        "CWE-256",
        "CWE-522"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-21T22:22:01Z"
}
References

Affected packages

Maven / org.jenkins-ci.main:reverse-proxy-auth-plugin

Package

Name
org.jenkins-ci.main:reverse-proxy-auth-plugin
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.main/reverse-proxy-auth-plugin

Affected ranges

Type
ECOSYSTEM
Events
Introduced
1.7.3
Fixed
1.7.4