[MAVEN:GHSA-5GWQ-4275-Q4QC] Jenkins AWS CodePipeline Plugin has Insufficiently Protected Credentials

Severity High

Affected Packages 1

Fixed Packages 1

CVEs 1

Jenkins project Jenkins AWS CodePipeline Plugin version 0.36 and earlier contains a Insufficiently Protected Credentials vulnerability in AWSCodePipelineSCM.java that can result in Credentials Disclosure. This attack appear to be exploitable via local file access. This vulnerability appears to have been fixed in 0.37 and later.

Package	Affected Version
pkg:maven/com.amazonaws/aws-codepipeline	< 0.37

Package	Fixed Version
pkg:maven/com.amazonaws/aws-codepipeline	= 0.37

ID

MAVEN:GHSA-5GWQ-4275-Q4QC

Severity

high

URL

https://github.com/advisories/GHSA-5gwq-4275-q4qc

Published

2022-05-13T01:48:37
(2 years ago)

Modified

2023-01-29T05:03:58
(19 months ago)

Rights

Maven Security Team

Other Advisories

JENKINS:SECURITY-967

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2018-1000401
			https://jenkins.io/security/advisory/2018-06-25/#SECURITY-967
			https://github.com/jenkinsci/aws-codepipeline-plugin/commit/a45d3dc52c8b6f49e813a2ee8b796f0302649c69
			https://github.com/advisories/GHSA-5gwq-4275-q4qc

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/com.amazonaws/aws-codepipeline	com.amazonaws	aws-codepipeline	< 0.37
Fixed	pkg:maven/com.amazonaws/aws-codepipeline	com.amazonaws	aws-codepipeline	= 0.37

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date