GHSA-wwgx-94v6-fc2p

Source

https://github.com/advisories/GHSA-wwgx-94v6-fc2p

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-wwgx-94v6-fc2p/GHSA-wwgx-94v6-fc2p.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-wwgx-94v6-fc2p

Aliases

CVE-2018-1999036

Published

2022-05-13T01:50:55Z

Modified

2024-02-16T08:15:54.165492Z

Severity

3.1 (Low) CVSS_V3 - CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Jenkins SSH Agent Plugin exposes SSH private key password to users with permission to read the build log

Details

An exposure of sensitive information vulnerability exists in Jenkins SSH Agent Plugin 1.15 and earlier in SSHAgentStepExecution.java that exposes the SSH private key password to users with permission to read the build log. As of version 1.16, the plugin no longer logs the ssh-add invocation that would reveal the passphrase.

Database specific

{
    "nvd_published_at": "2018-08-01T13:29:00Z",
    "cwe_ids": [
        "CWE-532"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-12T17:00:02Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:ssh-agent

Package

Name: org.jenkins-ci.plugins:ssh-agent; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/ssh-agent

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1.16

Affected versions

0.*

0.1

1.*

1.0

1.1

1.2

1.3

1.4

1.4.1

1.4.2

1.5

1.6

1.7

1.8

1.9

1.10

1.11

1.12

1.13

1.14

1.15

Database specific

{
    "last_known_affected_version_range": "<= 1.15"
}