Description

Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/04/13/3

https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-3075

Related Vulnerabilities

CVE-2023-26144 Vulnerability in npm package graphql

CVE-2021-39184 Vulnerability in npm package electron

CVE-2020-26289 Vulnerability in npm package date-and-time

CVE-2021-23899 Vulnerability in maven package com.mikesamuel:json-sanitizer

CVE-2022-36900 Vulnerability in maven package com.compuware.jenkins:compuware-zadviser-api

Severity

High

Classification

CWE-319 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory