Description
Jenkins Maven Artifact ChoiceListProvider (Nexus) Plugin 1.14 and earlier does not set the appropriate context for credentials lookup, allowing attackers with Item/Configure permission to access and capture credentials they are not entitled to.
Remediation
References
https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3153
http://www.openwall.com/lists/oss-security/2023/08/16/3
Related Vulnerabilities
CVE-2011-5064 Vulnerability in maven package org.apache.tomcat:tomcat-catalina
CVE-2024-22207 Vulnerability in npm package @fastify/swagger-ui
CVE-2017-15691 Vulnerability in maven package org.apache.uima:uima-ducc-web
CVE-2020-7013 Vulnerability in npm package kibana
CVE-2020-11995 Vulnerability in maven package com.caucho:hessian