Improper masking of credentials in Jenkins Pipeline Maven Integration Plugin

2023-09-0615:30:26

Google

osv.dev

jenkins

pipeline

maven

integration

plugin

credentials

security

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.0005 Low

EPSS

Percentile

17.1%

JSON

Jenkins Pipeline Maven Integration Plugin 1330.v18e473854496 and earlier does not properly mask (i.e., replace with asterisks) usernames of credentials specified in custom Maven settings in Pipeline build logs if “Treat username as secret” is checked.

CPENameOperatorVersion
org.jenkins-ci.plugins:pipeline-maveneq3.4.2
org.jenkins-ci.plugins:pipeline-maveneq2.3.0
org.jenkins-ci.plugins:pipeline-maveneq3.7.1
org.jenkins-ci.plugins:pipeline-maveneq1235.v2db_ddd9f797b
org.jenkins-ci.plugins:pipeline-maveneq3.5.13
org.jenkins-ci.plugins:pipeline-maveneq1290.vf21c81e8c57f
org.jenkins-ci.plugins:pipeline-maveneq1201.v1fce0b_9b_a_e24
org.jenkins-ci.plugins:pipeline-maveneq2.3.1
org.jenkins-ci.plugins:pipeline-maveneq1322.v9ef317a_3e0a_9
org.jenkins-ci.plugins:pipeline-maveneq3.5.12-beta-3

Name	Operator	Version
org.jenkins-ci.plugins:pipeline-maven	eq	3.4.2
org.jenkins-ci.plugins:pipeline-maven	eq	2.3.0
org.jenkins-ci.plugins:pipeline-maven	eq	3.7.1
org.jenkins-ci.plugins:pipeline-maven	eq	1235.v2db_ddd9f797b
org.jenkins-ci.plugins:pipeline-maven	eq	3.5.13
org.jenkins-ci.plugins:pipeline-maven	eq	1290.vf21c81e8c57f
org.jenkins-ci.plugins:pipeline-maven	eq	1201.v1fce0b_9b_a_e24
org.jenkins-ci.plugins:pipeline-maven	eq	2.3.1
org.jenkins-ci.plugins:pipeline-maven	eq	1322.v9ef317a_3e0a_9
org.jenkins-ci.plugins:pipeline-maven	eq	3.5.12-beta-3