Lucene search

Veracode Vulnerability DatabaseVERACODE:41837

HistoryJul 29, 2023 - 9:51 a.m.

Information Disclosure

2023-07-2909:51:24

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

chef-identity

information disclosure

vulnerability

chefidentitybuildwrapper.xml

user.pem key

form field

sensitive information

global configuration file

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

19.5%

JSON

chef-identity is vulnerable to Information Disclosure. The vulnerability exists because ChefIdentityBuildWrapper.xml does not properly mask the user.pem key on the form field, allowing an attacker to gain sensitive information if they have access to the global configuration file, or are able to unmask the field through another method.

CPENameOperatorVersion
chef identity pluginle2.0.3
chef identity pluginle2.0.3

CPE	Name	Operator	Version
	chef identity plugin	le	2.0.3
	chef identity plugin	le	2.0.3

References

www.openwall.com/lists/oss-security/2023/07/26/2

github.com/advisories/GHSA-5jc5-m87x-88fj

www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3192

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

19.5%

JSON

Related for VERACODE:41837