CVE-2022-46685 — Jenkins Gitea Plugin vulnerable to Cleartext Transmission of Sensitive Informati

Description

In Jenkins Gitea Plugin 1.4.4 and earlier, the implementation of Gitea personal access tokens did not support credentials masking, potentially exposing them through the build log. Gitea Plugin 1.4.5 adds support for masking of Gitea personal access tokens. Administrators unable to update are advised to use SSH checkout instead.

How to fix CVE-2022-46685

To remediate CVE-2022-46685, upgrade the affected package to a fixed version below.

—upgrade to 1.4.5 or later
—upgrade to 1.4.5 or later

Is CVE-2022-46685 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (2)

from 0, < 1.4.5
from 0, < 1.4.5

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2022-46685
PATCHgithub.com/jenkinsci/gitea-plugin
WEBgithub.com/jenkinsci/gitea-plugin/commit/b3b2bd869b91f9f1312bbbbf6128cad2cd86bd8c
WEBwww.jenkins.io/security/advisory/2022-12-07/#SECURITY-2661