CVE-2023-25721

Veracode Scan Jenkins Plugin before 23.3.19.0, when the "Connect using proxy" option is enabled and configured with proxy credentials and when the Jenkins global system setting debug is enabled and when a scan is configured for remote agent jobs, allows users (with access to view the job log) to discover proxy credentials.

CVSS v3 6.5 MEDIUM

6.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 2.8 / Impact : 3.6

Attack Vector NETWORK

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://docs.veracode.com/updates/r/c_all_int#veracode-jenkins-plugin-233190	Release Notes
https://veracode.com	Vendor Advisory
https://docs.veracode.com/updates/r/c_all_int#veracode-jenkins-plugin-233190	Release Notes
https://veracode.com	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:veracode:veracode:*:*:*:*:*:jenkins:*:*

History

19 Feb 2025, 19:15

Type	Values Removed	Values Added
CWE		CWE-532

Information

Published : 2023-03-28 20:15

Updated : 2025-02-19 19:15

NVD link : CVE-2023-25721

Mitre link : CVE-2023-25721

CVE.ORG link : CVE-2023-25721

JSON object : View

Products Affected

veracode

veracode

CWE

NVD-CWE-noinfo CWE-532

Insertion of Sensitive Information into Log File

{"id": "CVE-2023-25721", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 2.8}]}, "published": "2023-03-28T20:15:11.093", "references": [{"url": "https://docs.veracode.com/updates/r/c_all_int#veracode-jenkins-plugin-233190", "tags": ["Release Notes"], "source": "cve@mitre.org"}, {"url": "https://veracode.com", "tags": ["Vendor Advisory"], "source": "cve@mitre.org"}, {"url": "https://docs.veracode.com/updates/r/c_all_int#veracode-jenkins-plugin-233190", "tags": ["Release Notes"], "source": "af854a3a-2127-422b-91ae-364da2661108"}, {"url": "https://veracode.com", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "NVD-CWE-noinfo"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-532"}]}], "descriptions": [{"lang": "en", "value": "Veracode Scan Jenkins Plugin before 23.3.19.0, when the \"Connect using proxy\" option is enabled and configured with proxy credentials and when the Jenkins global system setting debug is enabled and when a scan is configured for remote agent jobs, allows users (with access to view the job log) to discover proxy credentials."}], "lastModified": "2025-02-19T19:15:13.430", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:veracode:veracode:*:*:*:*:*:jenkins:*:*", "vulnerable": true, "matchCriteriaId": "BA5546FF-7971-441B-A228-B0DB39F7C4AE", "versionEndExcluding": "23.3.19.0"}], "operator": "OR"}]}], "sourceIdentifier": "cve@mitre.org"}