Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1jNGpyLXZqbTQtMjdocc4AAyZE
Veracode Scan Jenkins Plugin vulnerable to information disclosure
Veracode Scan Jenkins Plugin before 23.3.19.0 is vulnerable to information disclosure of proxy credentials in job logs under specific configurations.
Users are potentially affected if they:
- are using Veracode Scan Jenkins Plugin prior to 23.3.19.0
- AND have configured Veracode Scan to run on remote agent jobs
- AND have enabled the "Connect using proxy" option
- AND have configured the proxy settings with proxy credentials
- AND a Jenkins admin has enabled debug in global system settings.
By default, even in this configuration only the job owner or Jenkins admin can view the job log.
Permalink: https://github.com/advisories/GHSA-c4jr-vjm4-27hqJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1jNGpyLXZqbTQtMjdocc4AAyZE
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 1 year ago
Updated: about 1 year ago
CVSS Score: 4.4
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
Identifiers: GHSA-c4jr-vjm4-27hq, CVE-2023-25721
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-25721
- https://docs.veracode.com/updates/r/c_all_int#veracode-jenkins-plugin-233190
- https://veracode.com
- https://community.veracode.com/s/spotlight/frequently-asked-questions-for-cve-2023-25721-and-cve-2023-25722-MCFT34TH6OGRFR7F7JGDQQP4TNZE
- https://github.com/advisories/GHSA-c4jr-vjm4-27hq
Affected Packages
maven:com.veracode.jenkins:veracode-scan
Affected Version Ranges: < 23.3.19.0Fixed in: 23.3.19.0