SCA: security update for com.veracode.jenkins:veracode-scan (GHSA-fjrv-vx9m-4jpj)

medium Tenable Self-Hosted Container Security Plugin ID 414570

Description

There are packages installed that are affected by a vulnerability referenced in the following CVE:

- A credential-leak issue was discovered in related Veracode products before 2023-03-27. Veracode Scan
Jenkins Plugin before 23.3.19.0, when configured for remote agent jobs, invokes the Veracode Java API
Wrapper in a manner that allows local users (with OS-level access of the Jenkins remote) to discover
Veracode API credentials by listing the process and its arguments. Veracode Scan Jenkins Plugin before
23.3.19.0, when configured for remote agent jobs and when the "Connect using proxy" option is enabled and
configured with proxy credentials, allows local users of the Jenkins remote to discover proxy credentials
by listing the process and its arguments. Veracode Azure DevOps Extension before 3.20.0 invokes the
Veracode Java API Wrapper in a manner that allows local users (with OS-level access to the Azure DevOps
Services cloud infrastructure or Azure DevOps Server) to discover Veracode API credentials by listing the
process and its arguments. Veracode Azure DevOps Extension before 3.20.0, when configured with proxy
credentials, allows users (with shell access to the Azure DevOps Services cloud infrastructure or Azure
DevOps Server) to discover proxy credentials by listing the process and its arguments. (CVE-2023-25722)

See Also

https://github.com/advisories/GHSA-fjrv-vx9m-4jpj

Plugin Details

Severity: Medium

ID: 414570

Version: Revision 1.7

Type: Local

Family: SCA Checks

Published: 1/23/2025

Updated: 6/1/2026

Supported Sensors: Tenable Cloud Security, Tenable Self-Hosted Container Security

Risk Information

VPR

Risk Factor: Low

Score: 3

Percentile: 23.51

Vendor

Vendor Severity: Medium

CVSS v2

Risk Factor: Medium

Base Score: 4.6

Temporal Score: 3.4

Vector: CVSS2#AV:L/AC:L/Au:S/C:C/I:N/A:N

CVSS Score Source: CVE-2023-25722

CVSS v3

Risk Factor: Medium

Base Score: 5.5

Temporal Score: 4.8

Vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

Exploit Ease: No known exploits are available

Patch Publication Date: 3/28/2023

Vulnerability Publication Date: 3/28/2023

Reference Information

CVE: CVE-2023-25722

cwe: CWE-214