[MAVEN:GHSA-5MPF-HW8F-86W9] Sensitive parameter values captured in build metadata files by Jenkins Parameterized Trigger Plugin

Severity Low

Affected Packages 1

Fixed Packages 1

CVEs 1

Jenkins Parameterized Trigger Plugin 2.43 and earlier captures environment variables passed to builds triggered using Jenkins Parameterized Trigger Plugin, including password parameter values, in their build.xml files. These values are stored unencrypted and can be viewed by users with access to the Jenkins controller file system.

Existing build.xml files are not automatically updated to remove captured environment variables. They need to be manually cleaned up. To help with this, the plugin will report environment variables stored in build.xml as unloadable data in the Old Data Monitor, that allows discarding this data. Build records are only loaded from disk when needed however, so some builds stored in Jenkins may not immediately appear there.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/parameterized-trigger	< 2.43.1

Package	Fixed Version
pkg:maven/org.jenkins-ci.plugins/parameterized-trigger	= 2.43.1

ID

MAVEN:GHSA-5MPF-HW8F-86W9

Severity

low

URL

https://github.com/advisories/GHSA-5mpf-hw8f-86w9

Published

2022-03-16T00:00:45
(2 years ago)

Modified

2023-12-06T21:32:36
(9 months ago)

Rights

Maven Security Team

Other Advisories

JENKINS:SECURITY-2185

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2022-27195
			https://www.jenkins.io/security/advisory/2022-03-15/#SECURITY-2185
			http://www.openwall.com/lists/oss-security/2022/03/15/2
			https://github.com/jenkinsci/parameterized-trigger-plugin/commit/6b7cd2272cbd9f97416bff7ea19132b9aad0898d
			https://github.com/jenkinsci/parameterized-trigger-plugin/commit/b5ec2b48df3c4f7b4999c4edf137b34fbea694fd
			https://github.com/advisories/GHSA-5mpf-hw8f-86w9

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.jenkins-ci.plugins/parameterized-trigger	org.jenkins-ci.plugins	parameterized-trigger	< 2.43.1
Fixed	pkg:maven/org.jenkins-ci.plugins/parameterized-trigger	org.jenkins-ci.plugins	parameterized-trigger	= 2.43.1

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date