GHSA-v8v2-fhgv-3vq2

Suggest an improvement
Source
https://github.com/advisories/GHSA-v8v2-fhgv-3vq2
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-v8v2-fhgv-3vq2/GHSA-v8v2-fhgv-3vq2.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-v8v2-fhgv-3vq2
Aliases
Published
2022-05-24T17:22:19Z
Modified
2023-11-01T04:52:25.261848Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Credentials stored in plain text by Jenkins White Source Plugin
Details

White Source Plugin prior to version 20.8.1 stores credentials in plain text as part of its global configuration file org.whitesource.jenkins.pipeline.WhiteSourcePipelineStep.xml and job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission (in the case of job config.xml files) or access to the Jenkins controller file system. Version 20.8.1 contains a patch for the issue.

Database specific
{
    "nvd_published_at": "2020-07-02T15:15:00Z",
    "cwe_ids": [
        "CWE-256",
        "CWE-522"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-29T00:50:08Z"
}
References

Affected packages

Maven / org.jenkins-ci.plugins:whitesource

Package

Name
org.jenkins-ci.plugins:whitesource
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.plugins/whitesource

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
20.8.1

Affected versions

1.*

1.0
1.1
1.3
1.4
1.5.1
1.5.2
1.7
1.7.1
1.7.2
1.7.3
1.7.4
1.7.5
1.7.6
1.7.7
1.7.8
1.7.9
1.8.0
1.8.1
1.8.2

17.*

17.11.4
17.12.1

18.*

18.1.1
18.1.3
18.3.2
18.4.1
18.5.1
18.5.1.1
18.5.2
18.5.2.1
18.6.2
18.6.3
18.8.2
18.9.1
18.10.1
18.10.2

19.*

19.1.1

20.*

20.1.2