CVE-2023-25721

Description

Veracode Scan Jenkins Plugin before 23.3.19.0 is vulnerable to information disclosure of proxy credentials in job logs under specific configurations. Users are potentially affected if they: - are using Veracode Scan Jenkins Plugin prior to 23.3.19.0 - AND have configured Veracode Scan to run on remote agent jobs - AND have enabled the "Connect using proxy" option - AND have configured the proxy settings with proxy credentials - AND a Jenkins admin has enabled debug in global system settings. By default, even in this configuration only the job owner or Jenkins admin can view the job log.

How to fix CVE-2023-25721

To remediate CVE-2023-25721, upgrade the affected package to a fixed version below.

• —upgrade to 23.3.19.0 or later

Is CVE-2023-25721 being exploited?

Low — EPSS is 0.3%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, < 23.3.19.0

CVSS scores

References (5)

• ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-25721
• PATCHgithub.com/jenkinsci/veracode-scan-plugin
• WEBcommunity.veracode.com/s/spotlight/frequently-asked-questions-for-cve-2023-25721-and-cve-2023-25722-MCFT34TH6OGRFR7F7JGDQQP4TNZE
• WEBdocs.veracode.com/updates/r/c_all_int#veracode-jenkins-plugin-233190