Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1mamgyLXFoZmgtcnZmY84AASx7
Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin CSRF vulnerability and missing permission checks
An exposure of sensitive information vulnerability exists in Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.3.1 and earlier in ArtifactoryChoiceListProvider.java, NexusChoiceListProvider.java, Nexus3ChoiceListProvider.java that allows attackers to capture credentials with a known credentials ID stored in Jenkins.
Permalink: https://github.com/advisories/GHSA-fjh2-qhfh-rvfcJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1mamgyLXFoZmgtcnZmY84AASx7
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: about 2 years ago
Updated: 4 months ago
CVSS Score: 5.4
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Identifiers: GHSA-fjh2-qhfh-rvfc, CVE-2018-1999030
References:
- https://nvd.nist.gov/vuln/detail/CVE-2018-1999030
- https://jenkins.io/security/advisory/2018-07-30/#SECURITY-1022
- https://github.com/jenkinsci/maven-artifact-choicelistprovider-plugin/commit/2d2e20cc00a29abf435afcad12cfc9ddadf76d89
- https://github.com/jenkinsci/maven-artifact-choicelistprovider-plugin/commit/5a3a3ff1e7416623c531601620305640ef4c8e28
- https://github.com/jenkinsci/maven-artifact-choicelistprovider-plugin/commit/99d97c028fbc0672b729d052d4bfc4dfa9674f23
- https://github.com/advisories/GHSA-fjh2-qhfh-rvfc
Blast Radius: 1.0
Affected Packages
maven:org.jenkins-ci.plugins:maven-artifact-choicelistprovider
Affected Version Ranges: <= 1.3.1Fixed in: 1.3.2