Description

Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/04/13/3

https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-3075

Related Vulnerabilities

CVE-2021-45046 Vulnerability in maven package org.apache.logging.log4j:log4j-core

CVE-2021-21625 Vulnerability in maven package org.jenkins-ci.plugins:aws-credentials

CVE-2019-20149 Vulnerability in maven package org.webjars.bowergithub.jonschlinkert:kind-of

CVE-2020-13934 Vulnerability in maven package org.apache.tomcat:tomcat-coyote

CVE-2022-31198 Vulnerability in maven package org.webjars.npm:openzeppelin__contracts-upgradeable

Severity

High

Classification

CWE-319 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory