[MAVEN:GHSA-J55J-28WC-V338] Jenkins Report Portal Plugin configuration form does not mask tokens

Severity Moderate

Affected Packages 1

CVEs 1

Jenkins Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These tokens can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Additionally, the configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/reportportal	<= 0.5

ID

MAVEN:GHSA-J55J-28WC-V338

Severity

moderate

URL

https://github.com/advisories/GHSA-j55j-28wc-v338

Published

2023-04-12T18:30:36
(17 months ago)

Modified

2023-04-21T17:53:59
(17 months ago)

Rights

Maven Security Team

Other Advisories

JENKINS:SECURITY-2945

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2023-30524
			https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-2945
			http://www.openwall.com/lists/oss-security/2023/04/13/3
			https://github.com/advisories/GHSA-j55j-28wc-v338

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.jenkins-ci.plugins/reportportal	org.jenkins-ci.plugins	reportportal	<= 0.5

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date