4.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-25721

GHSA ID

GHSA-c4jr-vjm4-27hq

EPSS Score

0.44229%

CWE

CWE-532

Published

3/28/2023

Updated

4/5/2023

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-25721

CVE-2023-25721:
Veracode Scan Jenkins Plugin vulnerable to information disclosure

Veracode Scan Jenkins Plugin before 23.3.19.0 is vulnerable to information disclosure of proxy credentials in job logs under specific configurations.

Users are potentially affected if they:

are using Veracode Scan Jenkins Plugin prior to 23.3.19.0
AND have configured Veracode Scan to run on remote agent jobs
AND have enabled the "Connect using proxy" option
AND have configured the proxy settings with proxy credentials
AND a Jenkins admin has enabled debug in global system settings.

By default, even in this configuration only the job owner or Jenkins admin can view the job log.

(GitHub Advisory)

4.4

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-25721

GHSA ID

GHSA-c4jr-vjm4-27hq

EPSS Score

0.44229%

CWE

CWE-532

Published

3/28/2023

Updated

4/5/2023

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.veracode.jenkins:veracode-scan	maven	< 23.3.19.0	23.3.19.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from proxy credentials being logged in job outputs when: 1) Proxy is configured 2) Debug logging is enabled. The most likely candidates are functions handling proxy configuration serialization and scan argument construction. ScanUtil.buildScanArguments is a high-confidence candidate as it would directly handle credential-containing arguments. VeracodeScanBuilder.perform is medium confidence as the main execution entry point that would coordinate logging. The patch (23.3.19.0) likely added credential masking in these areas.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

V*r**o** S**n J*nkins Plu*in ***or* **.*.**.* is vuln*r**l* to in*orm*tion *is*losur* o* proxy *r***nti*ls in jo* lo*s un**r sp**i*i* *on*i*ur*tions. Us*rs *r* pot*nti*lly *****t** i* t**y: - *r* usin* V*r**o** S**n J*nkins Plu*in prior to **.*.**.*

Reasoning

T** vuln*r**ility st*ms *rom proxy *r***nti*ls **in* lo**** in jo* outputs w**n: *) Proxy is *on*i*ur** *) ***u* lo**in* is *n**l**. T** most lik*ly **n*i**t*s *r* *un*tions **n*lin* proxy *on*i*ur*tion s*ri*liz*tion *n* s**n *r*um*nt *onstru*tion. `

4.4

Basic Information

Concerned about an active attack path?

CVE-2023-25721: Veracode Scan Jenkins Plugin vulnerable to information disclosure

4.4

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-25721:
Veracode Scan Jenkins Plugin vulnerable to information disclosure

Vulnerability Intelligence
Miggo AI