CVE-2022-43426 Jenkins S3 Explorer Plugin 1.0.8 and earlier does not mask the AWS_SECRET_ACCESS_KEY form field, which makes it easier for attackers to observe and capture it.
This issue is due to the lack of validation of user input by the Jenkins S3 Explorer plugin. A user with access to an S3 bucket can use the Jenkins S3 Explorer plugin to view the contents of the S3 bucket, by specifying the S3 URL of the target S3 bucket in the plugin’s settings.
Impact
An attacker with access to an S3 bucket could use the Jenkins S3 Explorer plugin to view and copy the access key for the target AWS account.
How to Fix
Users of the Jenkins S3 Explorer plugin must validate user input before submitting to the target S3 bucket, to prevent leaking the access key for the target AWS account.
CVE Name CVE-2019-11728 Jenkins S3 Explorer Plugin 1.0.8 and earlier has XSS via the searchbox. This issue was reported to the Jenkins project.
Summary
The Jenkins S3 Explorer plugin has been found to have a Cross Site Scripting vulnerability. This issue is due to the lack of validation of user input by the Jenkins S3 Explorer plugin. An attacker with access to an S3 bucket could use the Jenkins S3 Explorer plugin to view and copy the access key for the target AWS account.
Improper Input Validation in Jenkins S3 Explorer Plugin
This issue is due to the lack of validation of user input by the Jenkins S3 Explorer plugin. A user with access to an S3 bucket can use the Jenkins S3 Explorer plugin to view and copy the access key for the target AWS account.
Impact
An attacker with access to an S3 bucket could use the Jenkins S3 Explorer plugin to view and copy the access key for the target AWS account.
How to Fix
Timeline
Published on: 10/19/2022 16:15:00 UTC
Last modified on: 10/22/2022 02:32:00 UTC