CVE-2023-25721: Veracode Scan Jenkins Plugin vulnerable to information disclosure

March 28, 2023 (updated April 5, 2023)

Veracode Scan Jenkins Plugin before 23.3.19.0, when the “Connect using proxy” option is enabled and configured with proxy credentials and when the Jenkins global system setting debug is enabled and when a scan is configured for remote agent jobs, allows users (with access to view the job log) to discover proxy credentials.

References

community.veracode.com/s/spotlight/frequently-asked-questions-for-cve-2023-25721-and-cve-2023-25722-MCFT34TH6OGRFR7F7JGDQQP4TNZE
docs.veracode.com/updates/r/c_all_int
github.com/advisories/GHSA-c4jr-vjm4-27hq
nvd.nist.gov/vuln/detail/CVE-2023-25721
veracode.com/

Code Behaviors & Features

Detect and mitigate CVE-2023-25721 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →