Description

The Jenkins 2.73.1 and earlier, 2.83 and earlier default form control for passwords and other secrets, , supports form validation (e.g. for API keys). The form validation AJAX requests were sent via GET, which could result in secrets being logged to a HTTP access log in non-default configurations of Jenkins, and made available to users with access to these log files. Form validation for is now always sent via POST, which is typically not logged.

Remediation

References

https://jenkins.io/security/advisory/2017-10-11/

Related Vulnerabilities

CVE-2023-36542 Vulnerability in maven package org.apache.nifi:nifi-dbcp-service

CVE-2022-45396 Vulnerability in maven package com.thalesgroup.hudson.plugins:sourcemonitor

CVE-2019-1003033 Vulnerability in maven package org.jenkins-ci.plugins:groovy

CVE-2022-45395 Vulnerability in maven package com.thalesgroup.jenkins-ci.plugins:cccc

CVE-2021-28657 Vulnerability in maven package org.apache.tika:tika-parsers

Severity

Low

Classification

CWE-20 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:N/A:N

Tags

Vendor Advisory