4.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-25721

GHSA ID

GHSA-c4jr-vjm4-27hq

EPSS Score

0.44121%

CWE

CWE-532

Published

3/28/2023

Updated

4/5/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-25721

CVE-2023-25721: Veracode Scan Jenkins Plugin vulnerable to information disclosure

Veracode Scan Jenkins Plugin before 23.3.19.0 is vulnerable to information disclosure of proxy credentials in job logs under specific configurations.

Users are potentially affected if they:

are using Veracode Scan Jenkins Plugin prior to 23.3.19.0
AND have configured Veracode Scan to run on remote agent jobs
AND have enabled the "Connect using proxy" option
AND have configured the proxy settings with proxy credentials
AND a Jenkins admin has enabled debug in global system settings.

By default, even in this configuration only the job owner or Jenkins admin can view the job log.

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-25721

CVE-2023-25721:

4.4

CVSS Score

3.1

-

CVSS Score

Basic Information

CVE ID

CVE-2023-25721

GHSA ID

GHSA-c4jr-vjm4-27hq

EPSS Score

0.44121%

CWE

CWE-532

Published

3/28/2023

Updated

4/5/2023

KEV Status

Technology

Java

Basic Information

CVE ID

GHSA ID

EPSS Score

CWE

Published

Updated

KEV Status

Technology

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.veracode.jenkins:veracode-scan	maven	< 23.3.19.0	23.3.19.0

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from proxy credentials being logged in job outputs when: 1) Proxy is configured 2) Debug logging is enabled. The most likely candidates are functions handling proxy configuration serialization and scan argument construction. ScanUtil.buildScanArguments is a high-confidence candidate as it would directly handle credential-containing arguments. VeracodeScanBuilder.perform is medium confidence as the main execution entry point that would coordinate logging. The patch (23.3.19.0) likely added credential masking in these areas.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.4

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-25721: Veracode Scan Jenkins Plugin vulnerable to information disclosure

CVE-2023-25721:

4.4

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

4.4

4.4

Technical Details

Basic Information

Basic Information

CVE-2023-25721: Veracode Scan Jenkins Plugin vulnerable to information disclosure

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI