GHSA-C4JR-VJM4-27HQ

Vulnerability from github – Published: 2023-03-28 21:30 – Updated: 2023-04-05 19:40
VLAI
Summary
Veracode Scan Jenkins Plugin vulnerable to information disclosure
Details

Veracode Scan Jenkins Plugin before 23.3.19.0 is vulnerable to information disclosure of proxy credentials in job logs under specific configurations.

Users are potentially affected if they: - are using Veracode Scan Jenkins Plugin prior to 23.3.19.0 - AND have configured Veracode Scan to run on remote agent jobs - AND have enabled the "Connect using proxy" option - AND have configured the proxy settings with proxy credentials - AND a Jenkins admin has enabled debug in global system settings.

By default, even in this configuration only the job owner or Jenkins admin can view the job log.

Show details on source website

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "com.veracode.jenkins:veracode-scan"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "23.3.19.0"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2023-25721"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-532"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2023-04-05T19:40:36Z",
    "nvd_published_at": "2023-03-28T20:15:00Z",
    "severity": "MODERATE"
  },
  "details": "Veracode Scan Jenkins Plugin before 23.3.19.0 is vulnerable to information disclosure of proxy credentials in job logs under specific configurations.\n\nUsers are potentially affected if they:\n- are using Veracode Scan Jenkins Plugin prior to 23.3.19.0\n- AND have configured Veracode Scan to run on remote agent jobs\n- AND have enabled the \"Connect using proxy\" option\n- AND have configured the proxy settings with proxy credentials\n- AND a Jenkins admin has enabled debug in global system settings.\n\nBy default, even in this configuration only the job owner or Jenkins admin can view the job log.",
  "id": "GHSA-c4jr-vjm4-27hq",
  "modified": "2023-04-05T19:40:36Z",
  "published": "2023-03-28T21:30:20Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2023-25721"
    },
    {
      "type": "WEB",
      "url": "https://community.veracode.com/s/spotlight/frequently-asked-questions-for-cve-2023-25721-and-cve-2023-25722-MCFT34TH6OGRFR7F7JGDQQP4TNZE"
    },
    {
      "type": "WEB",
      "url": "https://docs.veracode.com/updates/r/c_all_int#veracode-jenkins-plugin-233190"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/veracode-scan-plugin"
    },
    {
      "type": "WEB",
      "url": "https://veracode.com"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Veracode Scan Jenkins Plugin vulnerable to information disclosure"
}



Log in or create an account to share your comment.




Tags
Taxonomy of the tags.


Loading…

Loading…

Loading…

Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Loading…

Detection rules are retrieved from Rulezet.

Loading…

Loading…