GitHub Advisory DatabaseGHSA-C4JR-VJM4-27HQVeracode Scan Jenkins Plugin vulnerable to information disclosure
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
27.5%
Veracode Scan Jenkins Plugin before 23.3.19.0 is vulnerable to information disclosure of proxy credentials in job logs under specific configurations.
Users are potentially affected if they:
- are using Veracode Scan Jenkins Plugin prior to 23.3.19.0
- AND have configured Veracode Scan to run on remote agent jobs
- AND have enabled the “Connect using proxy” option
- AND have configured the proxy settings with proxy credentials
- AND a Jenkins admin has enabled debug in global system settings.
By default, even in this configuration only the job owner or Jenkins admin can view the job log.
Affected configurations
| Vendor | Product | Version | CPE |
|---|---|---|---|
| com.veracode.jenkins | veracode-scan | * | cpe:2.3:a:com.veracode.jenkins:veracode-scan:*:*:*:*:*:*:*:* |
Related
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
LOW
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
NONE
Availability Impact
NONE
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EPSS
Percentile
27.5%