Lucene search

GitHub Advisory DatabaseGHSA-X3QH-53QF-JXQ9

HistoryDec 12, 2022 - 9:30 a.m.

Jenkins Gitea Plugin vulnerable to Cleartext Transmission of Sensitive Information

2022-12-1209:30:35

CWE-319

GitHub Advisory Database

github.com

jenkins

gitea plugin

cleartext transmission

sensitive information

personal access tokens

credentials masking

build log

ssh checkout

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

22.9%

JSON

In Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking, potentially exposing them through the build log.

Gitea Plugin 1.4.5 adds support for masking of Gitea personal access tokens.

Administrators unable to update are advised to use SSH checkout instead.

Affected configurations

Vulners

Node

org.jenkinsci.plugins\Matchgitea

CPENameOperatorVersion
org.jenkins-ci.plugins:gitealt1.4.5

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:gitea	lt	1.4.5

References

github.com/advisories/GHSA-x3qh-53qf-jxq9

github.com/jenkinsci/gitea-plugin/commit/b3b2bd869b91f9f1312bbbbf6128cad2cd86bd8c

nvd.nist.gov/vuln/detail/CVE-2022-46685

www.jenkins.io/security/advisory/2022-12-07/#SECURITY-2661

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

22.9%

JSON

Related for GHSA-X3QH-53QF-JXQ9