Описание
Veracode Scan Jenkins Plugin vulnerable to information disclosure
Veracode Scan Jenkins Plugin before 23.3.19.0 is vulnerable to information disclosure of proxy credentials in job logs under specific configurations.
Users are potentially affected if they:
- are using Veracode Scan Jenkins Plugin prior to 23.3.19.0
- AND have configured Veracode Scan to run on remote agent jobs
- AND have enabled the "Connect using proxy" option
- AND have configured the proxy settings with proxy credentials
- AND a Jenkins admin has enabled debug in global system settings.
By default, even in this configuration only the job owner or Jenkins admin can view the job log.
Пакеты
Наименование
com.veracode.jenkins:veracode-scan
maven
Затронутые версииВерсия исправления
< 23.3.19.0
23.3.19.0
Связанные уязвимости
CVSS3: 6.5
nvd
почти 3 года назад
Veracode Scan Jenkins Plugin before 23.3.19.0, when the "Connect using proxy" option is enabled and configured with proxy credentials and when the Jenkins global system setting debug is enabled and when a scan is configured for remote agent jobs, allows users (with access to view the job log) to discover proxy credentials.