CVE-2023-40340 – org.jenkins-ci.plugins:nodejs

Package

Manager: maven
Name: org.jenkins-ci.plugins:nodejs
Vulnerable Version: >=0 <1.6.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00072 pctl0.22363

Details

Jenkins NodeJS Plugin improper credential masking vulnerability Jenkins NodeJS Plugin integrates with Config File Provider Plugin to specify custom NPM settings, including credentials for authentication, in a Npm config file. NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs. NodeJS Plugin 1.6.1 masks credentials specified in the Npm config file in Pipeline build logs.

Metadata

Created: 2023-08-16T15:30:18Z
Modified: 2024-01-04T12:09:17Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/08/GHSA-36fg-whr2-g999/GHSA-36fg-whr2-g999.json
CWE IDs: []
Alternative ID: GHSA-36fg-whr2-g999
Finding: F038
Auto approve: 1