CVE-2019-1003021 – org.jenkins-ci.plugins:oic-auth

Package

Manager: maven
Name: org.jenkins-ci.plugins:oic-auth
Vulnerable Version: >=0 <1.5

Severity

Level: Medium

CVSS v3.1: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00038 pctl0.1036

Details

Jenkins OpenId Connect Authentication Plugin showed plain text client secret in configuration form An exposure of sensitive information vulnerability exists in Jenkins OpenId Connect Authentication Plugin 1.4 and earlier in OicSecurityRealm/config.jelly that allows attackers able to view a Jenkins administrator's web browser output, or control the browser (e.g. malicious extension) to retrieve the configured client secret.

Metadata

Created: 2022-05-13T01:31:34Z
Modified: 2024-01-30T22:28:39Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-3858-58w9-wpcg/GHSA-3858-58w9-wpcg.json
CWE IDs: ["CWE-200"]
Alternative ID: GHSA-3858-58w9-wpcg
Finding: F308
Auto approve: 1