Ecosyste.ms: Advisories

An open API service providing security vulnerability metadata for many open source software ecosystems.

Security Advisories: GSA_kwCzR0hTQS1qcDhyLWpoNWotY2d3Zs4AAiId

Jenkins CodeScan Plugin has Insufficiently Protected Credentials

CodeScan Plugin stores an API key unencrypted in its global configuration file com.villagechief.codescan.jenkins.CodeScanBuilder.xml on the Jenkins controller. This API key can be viewed by users with access to the Jenkins controller file system.

As of publication of this advisory, there is no fix.

Permalink: https://github.com/advisories/GHSA-jp8r-jh5j-cgwf
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1qcDhyLWpoNWotY2d3Zs4AAiId
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 2 years ago
Updated: almost 2 years ago


CVSS Score: 3.3
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Identifiers: GHSA-jp8r-jh5j-cgwf, CVE-2019-10423
References: Blast Radius: 1.0

Affected Packages

maven:com.villagechief.codescan.jenkins:codescan
Affected Version Ranges: <= 1.0
No known fixed version