CVE-2023-24442

2023-01-2621:18:17

CWE-312

jenkins

web.nvd.nist.gov

jenkins

github

plugin

cve-2023-24442

security vulnerability

CVSS3

5.5

Attack Vector

LOCAL

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

AI Score

5.5

Confidence

High

EPSS

Percentile

13.2%

JSON

Jenkins GitHub Pull Request Coverage Status Plugin 2.2.0 and earlier stores the GitHub Personal Access Token, Sonar access token and Sonar password unencrypted in its global configuration file on the Jenkins controller where they can be viewed by users with access to the Jenkins controller file system.

Affected configurations

Nvd

Node

jenkinsgithub_pull_request_coverage_statusRange≤2.2.0jenkins

VendorProductVersionCPE
jenkinsgithub_pull_request_coverage_status*cpe:2.3:a:jenkins:github_pull_request_coverage_status:*:*:*:*:*:jenkins:*:*

Vendor	Product	Version	CPE
jenkins	github_pull_request_coverage_status	*	cpe:2.3:a:jenkins:github_pull_request_coverage_status::::::jenkins::*

CNA Affected

[
  {
    "product": "Jenkins GitHub Pull Request Coverage Status Plugin",
    "vendor": "Jenkins Project",
    "versions": [
      {
        "lessThanOrEqual": "2.2.0",
        "status": "affected",
        "version": "unspecified",
        "versionType": "custom"
      },
      {
        "lessThan": "unspecified",
        "status": "unknown",
        "version": "next of 2.2.0",
        "versionType": "custom"
      }
    ]
  }
]