Lucene search

GitHub Advisory DatabaseGHSA-XR37-PJFH-QWWC

HistoryMay 24, 2022 - 5:07 p.m.

Fortify Plugin stored credentials in plain text

2022-05-2417:07:41

CWE-256

CWE-522

GitHub Advisory Database

github.com

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

22.0%

JSON

Fortify Plugin 19.1.29 and earlier stored its proxy server password unencrypted in job config.xml files. This password could be read by users with the Extended Read permission.

Fortify Plugin 19.2.30 now encrypts the proxy server password.

Affected configurations

Vulners

Node

org.jenkinsci.plugins\Matchfortify

CPENameOperatorVersion
org.jenkins-ci.plugins:fortifyle19.1.29

CPE	Name	Operator	Version
	org.jenkins-ci.plugins:fortify	le	19.1.29

References

www.openwall.com/lists/oss-security/2020/01/29/1

github.com/advisories/GHSA-xr37-pjfh-qwwc

jenkins.io/security/advisory/2020-01-29/#SECURITY-1565

nvd.nist.gov/vuln/detail/CVE-2020-2107

4 Medium

CVSS2

Attack Vector

NETWORK

Attack Complexity

LOW

Authentication

SINGLE

Confidentiality Impact

PARTIAL

Integrity Impact

NONE

Availability Impact

NONE

AV:N/AC:L/Au:S/C:P/I:N/A:N

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

22.0%

JSON

Related for GHSA-XR37-PJFH-QWWC