CVE-2022-25210 – com.convertigo.jenkins.plugins:convertigo-mobile-platform

Package

Manager: maven
Name: com.convertigo.jenkins.plugins:convertigo-mobile-platform
Vulnerable Version: >=0 <=1.1

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00623 pctl0.69219

Details

Improper Synchronization in Jenkins Convertigo Mobile Platform Plugin Jenkins Convertigo Mobile Platform Plugin 1.1 and earlier uses static fields to store job configuration information, allowing attackers with Item/Configure permission to capture passwords of the jobs that will be configured.

Metadata

Created: 2022-02-16T00:01:14Z
Modified: 2022-12-01T22:11:12Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/02/GHSA-vwx4-frpr-w27j/GHSA-vwx4-frpr-w27j.json
CWE IDs: ["CWE-662", "CWE-820"]
Alternative ID: GHSA-vwx4-frpr-w27j
Finding: F184
Auto approve: 1