CVE-2023-24439 – org.jenkins-ci.plugins:jira-steps

Package

Manager: maven
Name: org.jenkins-ci.plugins:jira-steps
Vulnerable Version: >=0 <=2.0.165.v8846cf59f3db

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00027 pctl0.05791

Details

Plaintext Storage of a Password in Jenkins JIRA Pipeline Steps Plugin Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier stores the private keys unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Metadata

Created: 2023-01-26T21:30:18Z
Modified: 2023-02-06T16:39:45Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-g29v-5pwh-wxx4/GHSA-g29v-5pwh-wxx4.json
CWE IDs: ["CWE-256", "CWE-312"]
Alternative ID: GHSA-g29v-5pwh-wxx4
Finding: F020
Auto approve: 1