CVE-2023-24440 – org.jenkins-ci.plugins:jira-steps

Package

Manager: maven
Name: org.jenkins-ci.plugins:jira-steps
Vulnerable Version: >=0 <=2.0.165.v8846cf59f3db

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00027 pctl0.05791

Details

Cleartext Transmission of Sensitive Information in Jenkins JIRA Pipeline Steps Plugin Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier transmits the private key in plain text as part of the global Jenkins configuration form, potentially resulting in their exposure.

Metadata

Created: 2023-01-26T21:30:18Z
Modified: 2023-02-06T16:40:55Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/01/GHSA-3g2g-rcm6-rrq2/GHSA-3g2g-rcm6-rrq2.json
CWE IDs: ["CWE-319"]
Alternative ID: GHSA-3g2g-rcm6-rrq2
Finding: F017
Auto approve: 1