Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-gqxr-hvrw-6hfh: Jenkins NS-ND Integration Performance Publisher Plugin displays credentials without masking

Jenkins NS-ND Integration Performance Publisher Plugin stores credentials in job config.xml files on the Jenkins controller as part of its configuration.

While these credentials are stored encrypted on disk, in NS-ND Integration Performance Publisher Plugin 4.8.0.149 and earlier, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them.

NS-ND Integration Performance Publisher Plugin 4.11.0.48 masks credentials displayed on the configuration form.

ghsa
#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2023-33000

Jenkins NS-ND Integration Performance Publisher Plugin displays credentials without masking

Low severity GitHub Reviewed Published May 16, 2023 to the GitHub Advisory Database • Updated May 17, 2023

Package

maven io.jenkins.plugins:cavisson-ns-nd-integration (Maven)

Affected versions

< 4.11.0.48

Patched versions

4.11.0.48

Jenkins NS-ND Integration Performance Publisher Plugin stores credentials in job config.xml files on the Jenkins controller as part of its configuration.

While these credentials are stored encrypted on disk, in NS-ND Integration Performance Publisher Plugin 4.8.0.149 and earlier, the job configuration form does not mask these credentials, increasing the potential for attackers to observe and capture them.

NS-ND Integration Performance Publisher Plugin 4.11.0.48 masks credentials displayed on the configuration form.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2023-33000
  • https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-2962

Published to the GitHub Advisory Database

May 16, 2023

Last updated

May 17, 2023

Related news

CVE-2023-2195: Jenkins Security Advisory 2023-05-16

A cross-site request forgery (CSRF) vulnerability in Jenkins Code Dx Plugin 3.1.0 and earlier allows attackers to connect to an attacker-specified URL.

CVE-2023-33002: Jenkins Security Advisory 2023-05-16

Jenkins TestComplete support Plugin 2.8.1 and earlier does not escape the TestComplete project name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2023-33005: Jenkins Security Advisory 2023-05-16

Jenkins WSO2 Oauth Plugin 1.0 and earlier does not invalidate the previous session on login.

CVE-2023-33000: Jenkins Security Advisory 2023-05-16

Jenkins NS-ND Integration Performance Publisher Plugin 4.8.0.149 and earlier does not mask credentials displayed on the configuration form, increasing the potential for attackers to observe and capture them.

CVE-2023-33007: Jenkins Security Advisory 2023-05-16

Jenkins LoadComplete support Plugin 1.0 and earlier does not escape the LoadComplete test name, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers with Item/Configure permission.

CVE-2023-32996: Jenkins Security Advisory 2023-05-16

A missing permission check in Jenkins SAML Single Sign On(SSO) Plugin 2.0.0 and earlier allows attackers with Overall/Read permission to send an HTTP POST request with JSON body containing attacker-specified content, to miniOrange's API for sending emails.

CVE-2023-32984: Jenkins Security Advisory 2023-05-16

Jenkins TestNG Results Plugin 730.v4c5283037693 and earlier does not escape several values that are parsed from TestNG report files and displayed on the plugin's test information pages, resulting in a stored cross-site scripting (XSS) vulnerability exploitable by attackers able to provide a crafted TestNG report file.

CVE-2023-32988: Jenkins Security Advisory 2023-05-16

A missing permission check in Jenkins Azure VM Agents Plugin 852.v8d35f0960a_43 and earlier allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins.

CVE-2023-32978: Jenkins Security Advisory 2023-05-16

A cross-site request forgery (CSRF) vulnerability in Jenkins LDAP Plugin 673.v034ec70ec2b_b_ and earlier allows attackers to connect to an attacker-specified LDAP server using attacker-specified credentials.

CVE-2023-32985: Jenkins Security Advisory 2023-05-16

Jenkins Sidebar Link Plugin 2.2.1 and earlier does not restrict the path of files in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of an attacker-specified file path on the Jenkins controller file system.