CVE-2023-25721 – com.veracode.jenkins:veracode-scan

Package

Manager: maven
Name: com.veracode.jenkins:veracode-scan
Vulnerable Version: >=0 <23.3.19.0

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:P/PR:H/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00215 pctl0.44084

Details

Veracode Scan Jenkins Plugin vulnerable to information disclosure Veracode Scan Jenkins Plugin before 23.3.19.0 is vulnerable to information disclosure of proxy credentials in job logs under specific configurations. Users are potentially affected if they: - are using Veracode Scan Jenkins Plugin prior to 23.3.19.0 - AND have configured Veracode Scan to run on remote agent jobs - AND have enabled the "Connect using proxy" option - AND have configured the proxy settings with proxy credentials - AND a Jenkins admin has enabled debug in global system settings. By default, even in this configuration only the job owner or Jenkins admin can view the job log.

Metadata

Created: 2023-03-28T21:30:20Z
Modified: 2023-04-05T19:40:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-c4jr-vjm4-27hq/GHSA-c4jr-vjm4-27hq.json
CWE IDs: ["CWE-532"]
Alternative ID: GHSA-c4jr-vjm4-27hq
Finding: F009
Auto approve: 1