Lucene search

GitHub Advisory DatabaseGHSA-CWCF-5M5W-MQ2W

HistoryMay 14, 2022 - 3:07 a.m.

Exposure of Sensitive Information to an Unauthorized Actor in Jenkins SSH Credentials Plugin

2022-05-1403:07:03

CWE-200

GitHub Advisory Database

github.com

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

28.4%

JSON

A arbitrary file read vulnerability exists in Jenkins SSH Credentials Plugin 1.13 and earlier in BasicSSHUserPrivateKey.java that allows attackers with a Jenkins account and the permission to configure credential bindings to read arbitrary files from the Jenkins master file system.

Affected configurations

Vulners

Node

org.jenkinsci.plugins\Matchcredentials

org.jenkinsci.plugins\Matchssh

CPENameOperatorVersion
org.jenkins-ci.plugins:credentialslt2.1.17
org.jenkins-ci.plugins:ssh-credentialsle1.13

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:credentials	lt	2.1.17
	org.jenkins-ci.plugins:ssh-credentials	le	1.13

References

github.com/advisories/GHSA-cwcf-5m5w-mq2w

github.com/jenkinsci/credentials-plugin/commit/23fbd6de33cc3cb74eafd44e7b27dd87b52c8904

github.com/jenkinsci/ssh-credentials-plugin/commit/18b3121fa94a174064447d637dc11539e33b3a76

github.com/jenkinsci/ssh-credentials-plugin/commits/ssh-credentials-1.14

jenkins.io/security/advisory/2018-06-25/#SECURITY-440

nvd.nist.gov/vuln/detail/CVE-2018-1000601

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

0.001 Low

EPSS

Percentile

28.4%

JSON

Related for GHSA-CWCF-5M5W-MQ2W