GHSA-mf4p-wjrm-cmjp

Опубликовано: 19 окт. 2022

Источник: github

Github: Прошло ревью

CVSS3: 3.1

Описание

AWS secrets displayed without masking by Jenkins S3 Explorer Plugin

S3 Explorer Plugin stores AWS_SECRET_ACCESS_KEY in its global configuration file s3explorer.xml on the Jenkins controller as part of its configuration.

While this secret is stored encrypted on disk, in S3 Explorer Plugin 1.0.8 and earlier the global configuration form does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it.

Ссылки

Пакеты

Наименование

io.jenkins.plugins:s3explorer

maven

Затронутые версииВерсия исправления

<= 1.0.8

Отсутствует

EPSS

Процентиль: 71%

0.00694

Низкий

3.1 Low

CVSS3

CVE ID

CVE-2022-43426

Дефекты

CWE-256

CWE-549

Связанные уязвимости

CVE-2022-43426

CVSS3: 5.3

nvd

больше 3 лет назад

Jenkins S3 Explorer Plugin 1.0.8 and earlier does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it.

EPSS

Процентиль: 71%

0.00694

Низкий

3.1 Low

CVSS3

CVE ID

CVE-2022-43426

Дефекты

CWE-256

CWE-549