CVE-2022-38663

CWE-522 — Insufficiently Protected Credentials6 documents6 sources

Severity

6.5MEDIUM

EPSS

2.0%

top 16.14%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins GIT Plugin Jenkins GIT

Timeline

PublishedAug 23

Latest updateAug 24

Description

Jenkins Git Plugin 4.11.4 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log provided by the Git Username and Password (`gitUsernamePassword`) credentials binding.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:git< 4.11.5

▶CVEListV5jenkins_project/jenkins_git_pluginunspecified — 4.11.4

▶NVDjenkins/git4.11.4

🔴Vulnerability Details

GHSA

Improper masking of credentials Jenkins in Git Plugin↗2022-08-24

▶

OSV

Improper masking of credentials Jenkins in Git Plugin↗2022-08-24

▶

CVEList

CVE-2022-38663: Jenkins Git Plugin 4↗2022-08-23

▶

📋Vendor Advisories

Red Hat

jenkins-2-plugins/git: Improper masking of credentials in Git Plugin↗2022-08-23

▶

Jenkins

Jenkins Security Advisory 2022-08-23↗2022-08-23

▶