GHSA-w6c2-jrhh-jrxg

Source

https://github.com/advisories/GHSA-w6c2-jrhh-jrxg

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-w6c2-jrhh-jrxg/GHSA-w6c2-jrhh-jrxg.json

JSON Data

https://api.test.osv.dev/v1/vulns/GHSA-w6c2-jrhh-jrxg

Aliases

CVE-2020-2249

Published

2022-05-24T17:27:06Z

Modified

2023-11-01T04:52:27.904723Z

Severity

3.3 (Low) CVSS_V3 - CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Credentials stored in plain text by Jenkins tfs Plugin

Details

tfs Plugin 5.157.1 and earlier stores a webhook secret unencrypted in its global configuration file hudson.plugins.tfs.TeamPluginGlobalConfig.xml on the Jenkins controller as part of its configuration. This secret can be viewed by attackers with access to the Jenkins controller file system.

Database specific

{
    "nvd_published_at": "2020-09-01T14:15:00Z",
    "cwe_ids": [
        "CWE-256",
        "CWE-311"
    ],
    "severity": "LOW",
    "github_reviewed": true,
    "github_reviewed_at": "2022-12-20T22:39:49Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:tfs

Package

Name: org.jenkins-ci.plugins:tfs; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/tfs

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

5.157.1

Affected versions

2.*

2.0

3.*

3.0.0

3.0.1

3.1.1

3.2.0

4.*

4.0.0

4.1.0

5.*

5.0.0

5.1.0

5.2.0

5.2.1

5.3.1

5.3.3

5.3.4

5.121.0

5.126.0

5.133.0

5.139.1

5.139.2

5.142.0

5.157.0

5.157.1