Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1qcDhyLWpoNWotY2d3Zs4AAiId
Jenkins CodeScan Plugin has Insufficiently Protected Credentials
CodeScan Plugin stores an API key unencrypted in its global configuration file com.villagechief.codescan.jenkins.CodeScanBuilder.xml
on the Jenkins controller. This API key can be viewed by users with access to the Jenkins controller file system.
As of publication of this advisory, there is no fix.
Permalink: https://github.com/advisories/GHSA-jp8r-jh5j-cgwfJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qcDhyLWpoNWotY2d3Zs4AAiId
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago
CVSS Score: 3.3
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-jp8r-jh5j-cgwf, CVE-2019-10423
References:
- https://nvd.nist.gov/vuln/detail/CVE-2019-10423
- https://jenkins.io/security/advisory/2019-09-25/#SECURITY-1551
- http://www.openwall.com/lists/oss-security/2019/09/25/3
- https://github.com/advisories/GHSA-jp8r-jh5j-cgwf
Affected Packages
maven:com.villagechief.codescan.jenkins:codescan
Affected Version Ranges: <= 1.0No known fixed version