GHSA-3hw6-gc8h-9243

Suggest an improvement
Source
https://github.com/advisories/GHSA-3hw6-gc8h-9243
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3hw6-gc8h-9243/GHSA-3hw6-gc8h-9243.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-3hw6-gc8h-9243
Aliases
  • CVE-2018-1999031
Published
2022-05-14T02:57:57Z
Modified
2024-01-02T05:51:25.283928Z
Severity
  • 3.3 (Low) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Jenkins meliora-testlab Plugin allows attackers with file system access to Jenkins master to obtain API key
Details

An exposure of sensitive information vulnerability exists in Jenkins meliora-testlab Plugin 1.14 and earlier in TestlabNotifier.java that allows attackers with file system access to the Jenkins master to obtain the API key stored in this plugin's configuration. Additionally, the API key was not masked from view using a password form field. As of version 1.15, the plugin stores the API Key encrypted in the configuration files on disk and no longer transfers it to users viewing the configuration form in plain text.

Database specific
{
    "nvd_published_at": "2018-08-01T13:29:00Z",
    "cwe_ids": [
        "CWE-200"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-12T16:33:17Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:meliora-testlab

Package

Name
org.jenkins-ci.plugins:meliora-testlab
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/meliora-testlab

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.15

Affected versions

1.*

1.0
1.1
1.2
1.3
1.5
1.6
1.7
1.9
1.13
1.14

Database specific

{
    "last_known_affected_version_range": "<= 1.14"
}