GHSA-hr74-2j5v-ghfv

Suggest an improvement
Source
https://github.com/advisories/GHSA-hr74-2j5v-ghfv
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-hr74-2j5v-ghfv/GHSA-hr74-2j5v-ghfv.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-hr74-2j5v-ghfv
Aliases
Published
2022-05-14T03:23:44Z
Modified
2023-11-01T04:48:34.189955Z
Severity
  • 4.0 (Medium) CVSS_V3 - CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Jenkins GitHub Pull Request Builder Plugin allows attacker with local file system access to obtain GitHub credentials
Details

An exposure of sensitive information vulnerability exists in Jenkins GitHub Pull Request Builder Plugin version 1.39.0 and older in GhprbCause.java that allows an attacker with local file system access to obtain GitHub credentials. Since 1.40.0, the plugin no longer stores serialized objects containing the credential on disk. Builds started before the plugin was updated to 1.40.0 will retain the encoded credentials on disk. We strongly recommend revoking old GitHub credentials used in Jenkins. We’re providing a script for use in the Script Console that will attempt to remove old stored credentials from build.xml files.

Database specific 
{
    "nvd_published_at": "2018-04-05T13:29:00Z",
    "github_reviewed_at": "2022-12-12T21:06:35Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-200"
    ]
}
References

Affected packages

Maven / org.jenkins-ci.plugins:ghprb

Package

Name
org.jenkins-ci.plugins:ghprb
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/ghprb

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
1.40.0

Database specific 

{
    "last_known_affected_version_range": "<= 1.39.0"
}