GHSA-x2w2-5552-fjv6

Suggest an improvement
Source
https://github.com/advisories/GHSA-x2w2-5552-fjv6
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/11/GHSA-x2w2-5552-fjv6/GHSA-x2w2-5552-fjv6.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-x2w2-5552-fjv6
Aliases
  • CVE-2022-45392
Published
2022-11-16T12:00:23Z
Modified
2023-11-01T05:00:22.918650Z
Severity
  • 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CVSS Calculator
Summary
Plaintext Storage of a Password in Jenkins NS-ND Integration Performance Publisher Plugin
Details

NS-ND Integration Performance Publisher Plugin 4.8.0.143 and earlier stores passwords unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These passwords can be viewed by attackers with Item/Extended Read permission or access to the Jenkins controller file system.

NS-ND Integration Performance Publisher Plugin 4.8.0.146 stores passwords encrypted once job configurations are saved again.

Database specific
{
    "nvd_published_at": "2022-11-15T20:15:00Z",
    "cwe_ids": [
        "CWE-256",
        "CWE-522"
    ],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2022-11-21T22:23:56Z"
}
References

Affected packages

Maven / io.jenkins.plugins:cavisson-ns-nd-integration

Package

Name
io.jenkins.plugins:cavisson-ns-nd-integration
View open source insights on deps.dev
Purl
pkg:maven/io.jenkins.plugins/cavisson-ns-nd-integration

Affected ranges

Type
ECOSYSTEM
Events
Introduced
0Unknown introduced version / All previous versions are affected
Fixed
4.8.0.146

Affected versions

4.*

4.6.0.23
4.6.0.24
4.6.1.40
4.6.1.65
4.6.1.65.1
4.6.1.65.2
4.6.1.66
4.6.1.68
4.6.1.69
4.6.1.70
4.6.1.76
4.6.1.78
4.6.1.79
4.6.1.80
4.6.1.82
4.6.1.83
4.6.1.85
4.6.1.93
4.8.0.77
4.8.0.129
4.8.0.130
4.8.0.134
4.8.0.142
4.8.0.143

Database specific

{
    "last_known_affected_version_range": "<= 4.8.0.143"
}