CVE-2019-10423 – com.villagechief.codescan.jenkins:codescan

Package

Manager: maven
Name: com.villagechief.codescan.jenkins:codescan
Vulnerable Version: >=0 <=1.0

Severity

Level: Low

CVSS v3.1: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00026 pctl0.05763

Details

Jenkins CodeScan Plugin has Insufficiently Protected Credentials CodeScan Plugin stores an API key unencrypted in its global configuration file `com.villagechief.codescan.jenkins.CodeScanBuilder.xml` on the Jenkins controller. This API key can be viewed by users with access to the Jenkins controller file system. As of publication of this advisory, there is no fix.

Metadata

Created: 2022-05-24T16:56:46Z
Modified: 2023-02-23T21:56:37Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-jp8r-jh5j-cgwf/GHSA-jp8r-jh5j-cgwf.json
CWE IDs: ["CWE-522"]
Alternative ID: GHSA-jp8r-jh5j-cgwf
Finding: F035
Auto approve: 1