GHSA-gqxr-hvrw-6hfh

Suggest an improvement
Source
https://github.com/advisories/GHSA-gqxr-hvrw-6hfh
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/05/GHSA-gqxr-hvrw-6hfh/GHSA-gqxr-hvrw-6hfh.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-gqxr-hvrw-6hfh
Aliases
  • CVE-2023-33000
Published
2023-05-16T18:30:16Z
Modified
2023-11-11T05:34:52.927292Z
Severity
  • 3.1 (Low) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Jenkins NS-ND Integration Performance Publisher Plugin displays credentials without masking
Details

Jenkins NS-ND Integration Performance Publisher Plugin stores credentials in job config.xml files on the Jenkins controller as part of its configuration.

While these credentials are stored encrypted on disk, in NS-ND Integration Performance Publisher Plugin 4.8.0.149 and earlier, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them.

NS-ND Integration Performance Publisher Plugin 4.11.0.48 masks credentials displayed on the configuration form.

Database specific
{
    "nvd_published_at": "2023-05-16T17:15:12Z",
    "cwe_ids": [
        "CWE-522"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2023-05-17T03:37:48Z"
}
References

Affected packages

Maven / io.jenkins.plugins:cavisson-ns-nd-integration

Package

Name
io.jenkins.plugins:cavisson-ns-nd-integration
View open source insights on deps.dev
Purl
pkg:maven/io.jenkins.plugins/cavisson-ns-nd-integration

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.11.0.48

Affected versions

4.*

4.6.0.23
4.6.0.24
4.6.1.40
4.6.1.65
4.6.1.65.1
4.6.1.65.2
4.6.1.66
4.6.1.68
4.6.1.69
4.6.1.70
4.6.1.76
4.6.1.78
4.6.1.79
4.6.1.80
4.6.1.82
4.6.1.83
4.6.1.85
4.6.1.93
4.8.0.77
4.8.0.129
4.8.0.130
4.8.0.134
4.8.0.142
4.8.0.143
4.8.0.146
4.8.0.147
4.8.0.148
4.8.0.149