Lucene search

GitHub Advisory DatabaseGHSA-GMG2-3W6V-945P

HistoryMay 24, 2022 - 5:08 p.m.

Password stored in plain text by Parasoft Environment Manager Plugin

2022-05-2417:08:47

CWE-256

CWE-522

GitHub Advisory Database

github.com

jenkins

parasoft

plain text

password

unencrypted

config.xml

file system

security

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

28.4%

JSON

Jenkins Parasoft Environment Manager Plugin 2.14 and earlier stores a password unencrypted in job config.xml files on the Jenkins master where it can be viewed by users with Extended Read permission, or access to the master file system.

Affected configurations

Vulners

Node

com.parasoft\environmentMatchmanager

References

www.openwall.com/lists/oss-security/2020/02/12/3

github.com/advisories/GHSA-gmg2-3w6v-945p

github.com/jenkinsci/environment-manager-tools-plugin/commit/a2511b9d3dfbd3778471c6840ae6026076f11134

jenkins.io/security/advisory/2020-02-12/#SECURITY-1562

nvd.nist.gov/vuln/detail/CVE-2020-2132

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

28.4%

JSON

Related for GHSA-GMG2-3W6V-945P