[JENKINS:SECURITY-1508] `aqua-security-scanner` showed plain text password in configuration form

Severity Low

Affected Packages 2

Fixed Packages 2

CVEs 1

aqua-security-scanner stores a password in its global Jenkins configuration.

While the password is stored encrypted on disk, it was transmitted in plain text as part of the configuration form.
This could result in exposure of the password through browser extensions, cross-site scripting vulnerabilities, and similar situations.

aqua-security-scanner now encrypts the password transmitted to administrators viewing the global configuration form.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/aqua-security-scanner	<= 3.0.17
pkg:github/jenkinsci/aqua-security-scanner-plugin	<= 3.0.17

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/aqua-security-scanner	= 3.0.18
pkg:github/jenkinsci/aqua-security-scanner-plugin	= 3.0.18

ID

JENKINS:SECURITY-1508

Severity

low

Published

2019-09-25T00:00:00
(5 years ago)

Modified

2019-09-25T00:00:00
(5 years ago)

Rights

Jenkins Security Team

Other Advisories

MAVEN:GHSA-XP44-8VWR-XWMV

Source	# ID	Name	URL
Plugin repository		aqua-security-scanner repository	https://github.com/jenkinsci/aqua-security-scanner-plugin

Type	Package URL	Namespace	Name / Product	Version
Affected	pkg:maven/org.jenkins-ci.plugins/aqua-security-scanner	org.jenkins-ci.plugins	aqua-security-scanner	<= 3.0.17
Fixed	pkg:maven/org.jenkins-ci.plugins/aqua-security-scanner	org.jenkins-ci.plugins	aqua-security-scanner	= 3.0.18
Affected	pkg:github/jenkinsci/aqua-security-scanner-plugin	jenkinsci	aqua-security-scanner-plugin	<= 3.0.17
Fixed	pkg:github/jenkinsci/aqua-security-scanner-plugin	jenkinsci	aqua-security-scanner-plugin	= 3.0.18

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date