CVE-2020-2213 – org.jenkins-ci.plugins:whitesource

Package

Manager: maven
Name: org.jenkins-ci.plugins:whitesource
Vulnerable Version: >=0 <20.8.1

Severity

Level: Medium

CVSS v3.1: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00031 pctl0.07238

Details

Credentials stored in plain text by Jenkins White Source Plugin White Source Plugin prior to version 20.8.1 stores credentials in plain text as part of its global configuration file `org.whitesource.jenkins.pipeline.WhiteSourcePipelineStep.xml` and job config.xml files on the Jenkins controller. These credentials could be viewed by users with Extended Read permission (in the case of job config.xml files) or access to the Jenkins controller file system. Version 20.8.1 contains a patch for the issue.

Metadata

Created: 2022-05-24T17:22:19Z
Modified: 2022-12-29T00:50:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2022/05/GHSA-v8v2-fhgv-3vq2/GHSA-v8v2-fhgv-3vq2.json
CWE IDs: ["CWE-256", "CWE-522"]
Alternative ID: GHSA-v8v2-fhgv-3vq2
Finding: F020
Auto approve: 1