CVE-2022-43426 – io.jenkins.plugins:s3explorer

Package

Manager: maven
Name: io.jenkins.plugins:s3explorer
Vulnerable Version: >=0 <=1.0.8

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00193 pctl0.41415

Details

AWS secrets displayed without masking by Jenkins S3 Explorer Plugin S3 Explorer Plugin stores AWS_SECRET_ACCESS_KEY in its global configuration file `s3explorer.xml` on the Jenkins controller as part of its configuration. While this secret is stored encrypted on disk, in S3 Explorer Plugin 1.0.8 and earlier the global configuration form does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it.

Metadata

Created: 2022-10-19T19:00:18Z
Modified: 2022-12-16T19:53:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/10/GHSA-mf4p-wjrm-cmjp/GHSA-mf4p-wjrm-cmjp.json
CWE IDs: ["CWE-256", "CWE-549"]
Alternative ID: GHSA-mf4p-wjrm-cmjp
Finding: F014
Auto approve: 1