Data

Tools

Indexes

Applications

Experiments

Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

GSA_kwCzR0hTQS01cGc4LWY4OXgtd2pjeM4AAjxy

Low CVSS: 3.1 EPSS: 0.00027% (0.06507 Percentile) EPSS:
Permalink JSON

Credentials transmitted in plain text by Jenkins Logstash Plugin

Affected Packages Affected Versions Fixed Versions
maven:org.jenkins-ci.plugins:logstash < 2.3.2 2.3.2

Logstash Plugin stores credentials in its global configuration file jenkins.plugins.logstash.LogstashConfiguration.xml on the Jenkins controller as part of its configuration.

While the credentials are stored encrypted on disk, they are transmitted in plain text as part of the configuration form by Logstash Plugin 2.3.1 and earlier. This can result in exposure of the credential through browser extensions, cross-site scripting vulnerabilities, and similar situations.

Logstash Plugin 2.3.2 transmits the credentials in its global configuration encrypted.

References:

Identifiers

GHSA-5pg8-f89x-wjcx

CVE-2020-2143

Risk

Severity

Low

CVSS

CVSS Score: 3.1

CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

EPSS

EPSS Percentage: 0.00027

EPSS Percentile: 0.06507

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Repository

https://github.com/jenkinsci/logstash-plugin
View on Ecosyste.ms

Date and time

Published

over 3 years ago

Updated

3 days ago

API

JSON