GHSA-x23m-8c2h-6wg7

Source

https://github.com/advisories/GHSA-x23m-8c2h-6wg7

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-x23m-8c2h-6wg7/GHSA-x23m-8c2h-6wg7.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-x23m-8c2h-6wg7

Aliases

CVE-2020-2095

Published

2022-05-24T17:06:23Z

Modified

2024-02-16T08:19:48.009448Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Redgate SQL Change Automation Plugin stored credentials in plain text

Details

Redgate SQL Change Automation Plugin 2.0.4 and earlier stores a NuGet API key unencrypted in job config.xml files as part of its configuration. This credential could be viewed by users with Extended Read permission or access to the Jenkins controller file system.

This is due to an incomplete fix of SECURITY-1598.

Redgate SQL Change Automation Plugin 2.0.5 now stores the API key encrypted. Existing jobs need to have their configuration saved for existing plain text passwords to be overwritten.

Database specific

{
    "nvd_published_at": "2020-01-15T16:15:00Z",
    "cwe_ids": [
        "CWE-522"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-21T16:45:47Z"
}

References

Affected packages

Maven / com.redgate.plugins.redgatesqlci:redgate-sql-ci

Package

Name: com.redgate.plugins.redgatesqlci:redgate-sql-ci; View open source insights on deps.dev
Purl: pkg:maven/com.redgate.plugins.redgatesqlci/redgate-sql-ci

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

2.0.5

Affected versions

1.*

1.0.1

1.0.3

1.0.5

1.0.6

1.0.7

1.0.8

1.0.10

1.0.11

1.0.12

1.0.13

1.0.14

1.0.16

2.*

2.0.0

2.0.1

2.0.2

2.0.3

2.0.4