Lucene search

GitHub Advisory DatabaseGHSA-MF4P-WJRM-CMJP

HistoryOct 19, 2022 - 7:00 p.m.

AWS secrets displayed without masking by Jenkins S3 Explorer Plugin

2022-10-1919:00:18

CWE-549

GitHub Advisory Database

github.com

aws

secrets

vulnerability

jenkins

s3 plugin

encryption

attackers

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

33.5%

JSON

S3 Explorer Plugin stores AWS_SECRET_ACCESS_KEY in its global configuration file s3explorer.xml on the Jenkins controller as part of its configuration.

While this secret is stored encrypted on disk, in S3 Explorer Plugin 1.0.8 and earlier the global configuration form does not mask the AWS_SECRET_ACCESS_KEY form field, increasing the potential for attackers to observe and capture it.

Affected configurations

Vulners

Node

io.jenkins.plugins\Matchs3explorer

CPENameOperatorVersion
io.jenkins.plugins:s3explorerle1.0.8

CPE	Name	Operator	Version
	io.jenkins.plugins:s3explorer	le	1.0.8

References

www.openwall.com/lists/oss-security/2022/10/19/3

github.com/advisories/GHSA-mf4p-wjrm-cmjp

nvd.nist.gov/vuln/detail/CVE-2022-43426

www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2480

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

33.5%

JSON

Related for GHSA-MF4P-WJRM-CMJP