Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS1tZjRwLXdqcm0tY21qcM4AAvdJ
AWS secrets displayed without masking by Jenkins S3 Explorer Plugin
S3 Explorer Plugin stores AWS_SECRET_ACCESS_KEY in its global configuration file s3explorer.xml on the Jenkins controller as part of its configuration.
While this secret is stored encrypted on disk, in S3 Explorer Plugin 1.0.8 and earlier the global configuration form does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it.
Permalink: https://github.com/advisories/GHSA-mf4p-wjrm-cmjpJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS1tZjRwLXdqcm0tY21qcM4AAvdJ
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: over 1 year ago
Updated: about 1 year ago
CVSS Score: 3.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Identifiers: GHSA-mf4p-wjrm-cmjp, CVE-2022-43426
References:
- https://nvd.nist.gov/vuln/detail/CVE-2022-43426
- https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2480
- http://www.openwall.com/lists/oss-security/2022/10/19/3
- https://github.com/advisories/GHSA-mf4p-wjrm-cmjp
Affected Packages
maven:io.jenkins.plugins:s3explorer
Affected Version Ranges: <= 1.0.8No known fixed version