CVE-2019-1003018 – org.jenkins-ci.plugins:github-oauth

Package

Manager: maven
Name: org.jenkins-ci.plugins:github-oauth
Vulnerable Version: >=0 <0.31

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00038 pctl0.1036

Details

GitHub Authentication Plugin showed plain text client secret in configuration form An exposure of sensitive information vulnerability exists in Jenkins GitHub Authentication Plugin 0.29 and earlier in GithubSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret.

Metadata

Created: 2022-05-13T01:31:35Z
Modified: 2024-01-09T22:48:15Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-87pj-9q82-m9qh/GHSA-87pj-9q82-m9qh.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-87pj-9q82-m9qh
Finding: F310
Auto approve: 1