Description

Jenkins Kubernetes Plugin 3909.v1f2c633e8590 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/04/13/3

https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-3075

Related Vulnerabilities

CVE-2020-14967 Vulnerability in maven package org.webjars.npm:jsrsasign

CVE-2018-1000836 Vulnerability in maven package org.bedework.caleng:bw-calendar-engine-impl

CVE-2023-40350 Vulnerability in maven package org.jenkins-ci.plugins:docker-swarm

CVE-2019-10374 Vulnerability in maven package org.jenkins-ci.plugins:pegdown-formatter

CVE-2019-20363 Vulnerability in maven package org.igniterealtime.openfire:xmppserver

Severity

High

Classification

CWE-319 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory