Description
A exposure of sensitive information vulnerability exists in Jenkins Black Duck Hub Plugin 4.0.0 and older in PostBuildScanDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through another method, capturing credentials stored in Jenkins.
Remediation
References
https://jenkins.io/security/advisory/2018-06-04/#SECURITY-865
Related Vulnerabilities
CVE-2020-26883 Vulnerability in maven package com.typesafe.play:play-java
CVE-2019-1003062 Vulnerability in maven package org.jenkins-ci.plugins:aws-cloudwatch-logs-publisher
CVE-2020-14338 Vulnerability in maven package xerces:xercesimpl
CVE-2023-46120 Vulnerability in maven package com.rabbitmq:amqp-client
CVE-2020-1957 Vulnerability in maven package org.apache.shiro:shiro-web