GHSA-wphq-j78p-fhgp

Suggest an improvement
Source
https://github.com/advisories/GHSA-wphq-j78p-fhgp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wphq-j78p-fhgp/GHSA-wphq-j78p-fhgp.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-wphq-j78p-fhgp
Aliases
Published
2022-05-24T17:27:06Z
Modified
2024-02-16T08:11:03.063755Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Secret stored in plain text by Jenkins Parameterized Remote Trigger Plugin
Details

Parameterized Remote Trigger Plugin 3.1.3 and earlier stores a secret unencrypted in its global configuration file org.jenkinsci.plugins.ParameterizedRemoteTrigger.RemoteBuildConfiguration.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system.

Parameterized Remote Trigger Plugin 3.1.4 stores the secret encrypted once its configuration is saved again.

References

Affected packages

Maven / org.jenkins-ci.plugins:Parameterized-Remote-Trigger

Package

Name
org.jenkins-ci.plugins:Parameterized-Remote-Trigger
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/Parameterized-Remote-Trigger

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
3.1.4

Affected versions

1.*

1.1

2.*

2.0
2.1
2.1.3
2.2.2

3.*

3.0.0
3.0.1
3.0.2
3.0.3
3.0.4
3.0.5
3.0.6
3.0.7
3.0.8
3.0.9
3.1.0
3.1.1
3.1.2
3.1.3

Database specific

{
    "last_known_affected_version_range": "<= 3.1.3"
}