CVE-2023-25722

Name of the Vulnerable Software and Affected Versions Veracode Scan Jenkins Plugin versions prior to 23.3.19.0 Veracode Azure DevOps Extension versions prior to 3.20.0

Description A credential-leak issue was discovered in related Veracode products. The Veracode Scan Jenkins Plugin, when configured for remote agent jobs, invokes the Veracode Java API Wrapper in a manner that allows local users to discover Veracode API credentials by listing the process and its arguments. Additionally, when the "Connect using proxy" option is enabled and configured with proxy credentials, it allows local users to discover proxy credentials. The Veracode Azure DevOps Extension also invokes the Veracode Java API Wrapper, allowing local users to discover Veracode API credentials, and when configured with proxy credentials, allows users to discover proxy credentials.

Recommendations For Veracode Scan Jenkins Plugin versions prior to 23.3.19.0, update to version 23.3.19.0 or later to resolve the issue. For Veracode Azure DevOps Extension versions prior to 3.20.0, update to version 3.20.0 or later to resolve the issue. As a temporary workaround, consider restricting access to the Veracode Java API Wrapper to minimize the risk of exploitation.