CVE-2023-24439 — Cleartext Storage of Sensitive Info in Project Jenkins Jira Pipeline Steps Plugin

CWE-312 — Cleartext Storage of Sensitive Info CWE-256 — Plaintext Storage of a Password CWE-20 — Improper Input Validation CWE-78 — OS Command Injection7 documents6 sources

Severity

5.5MEDIUMNVD

GHSA8.1

EPSS

0.0%

top 87.16%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Jira Pipeline Steps Plugin Jenkins Jira Pipeline Steps

Timeline

PublishedJan 26

Latest updateAug 11

Description

Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier stores the private keys unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

CVSS vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 1.8 | Impact: 3.6

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_jira_pipeline_steps_pluginunspecified — 2.0.165.v8846cf59f3db

▶NVDjenkins/jira_pipeline_steps2.0.165.v8846cf59f3db

🔴Vulnerability Details

GHSA

GitPython vulnerable to remote code execution due to insufficient sanitization of input arguments↗2023-08-11

▶

OSV

Plaintext Storage of a Password in Jenkins JIRA Pipeline Steps Plugin↗2023-01-26

▶

GHSA

Plaintext Storage of a Password in Jenkins JIRA Pipeline Steps Plugin↗2023-01-26

▶

CVEList

CVE-2023-24439: Jenkins JIRA Pipeline Steps Plugin 2↗2023-01-24

▶

📋Vendor Advisories

Red Hat

GitPython: Insecure non-multi options in clone and clone_from is not blocked↗2023-08-11

▶

Jenkins

Jenkins Security Advisory 2023-01-24↗2023-01-24

▶