Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.
Metrics
Affected Vendors & Products
References
History
Tue, 24 Sep 2024 19:30:00 +0000
Type | Values Removed | Values Added |
---|---|---|
Metrics |
ssvc
|
MITRE
Status: PUBLISHED
Assigner: jenkins
Published: 2023-09-20T16:06:08.742Z
Updated: 2024-09-24T18:52:34.098Z
Reserved: 2023-09-19T09:22:58.129Z
Link: CVE-2023-43494
Vulnrichment
Updated: 2024-08-02T19:44:42.278Z
NVD
Status : Modified
Published: 2023-09-20T17:15:11.667
Modified: 2024-11-21T08:24:09.237
Link: CVE-2023-43494
Redhat