structs-324.va_f5d6774f3a_d.jar: 1 vulnerabilities (highest severity is: 3.1)

[mend-for-github-com[bot]]

Vulnerable Library - structs-324.va_f5d6774f3a_d.jar

Library plugin for DSL plugins that need names for Jenkins objects.

Library home page: https://github.com/jenkinsci/structs-plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/structs/324.va_f5d6774f3a_d/339785cad419455d387faa8332e419d0c70874f7/structs-324.va_f5d6774f3a_d.jar

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Vulnerabilities

CVE	Severity	CVSS	Dependency	Type	Fixed in (structs version)	Remediation Possible**
CVE-2024-39458	Low	3.1	structs-324.va_f5d6774f3a_d.jar	Direct	org.jenkins-ci.plugins:structs:338.v848422169819	✅

**In some cases, Remediation PR cannot be created automatically for a vulnerability despite the availability of remediation

Details

CVE-2024-39458

### Vulnerable Library - structs-324.va_f5d6774f3a_d.jar

Library plugin for DSL plugins that need names for Jenkins objects.

Library home page: https://github.com/jenkinsci/structs-plugin

Path to dependency file: /build.gradle

Path to vulnerable library: /home/wss-scanner/.gradle/caches/modules-2/files-2.1/org.jenkins-ci.plugins/structs/324.va_f5d6774f3a_d/339785cad419455d387faa8332e419d0c70874f7/structs-324.va_f5d6774f3a_d.jar

Dependency Hierarchy: - :x: **structs-324.va_f5d6774f3a_d.jar** (Vulnerable Library)

Found in HEAD commit: 26696d30ae3a174047ee21ec6573e9b8b0bc1d1e

Found in base branch: main

### Vulnerability Details

When Jenkins Structs Plugin 337.v1b_04ea_4df7c8 and earlier fails to configure a build step, it logs a warning message containing diagnostic information that may contain secrets passed as step parameters, potentially resulting in accidental exposure of secrets through the default system log.

Publish Date: 2024-06-26

URL: CVE-2024-39458

### CVSS 3 Score Details (3.1)

Base Score Metrics: - Exploitability Metrics: - Attack Vector: Network - Attack Complexity: High - Privileges Required: None - User Interaction: Required - Scope: Unchanged - Impact Metrics: - Confidentiality Impact: Low - Integrity Impact: None - Availability Impact: None

For more information on CVSS3 Scores, click here.

### Suggested Fix

Type: Upgrade version

Origin: https://www.jenkins.io/security/advisory/2024-06-26/#SECURITY-3371

Release Date: 2024-06-26

Fix Resolution: org.jenkins-ci.plugins:structs:338.v848422169819

:rescue_worker_helmet: Automatic Remediation will be attempted for this issue.

---

:rescue_worker_helmet:Automatic Remediation will be attempted for this issue.