CVE-2023-43494
Vulnerability from cvelistv5
Published
2023-09-20 16:06
Modified
2024-08-02 19:44
Severity
Summary
Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.
References
| Source | URL | Tags |
|---|---|---|
| jenkinsci-cert@googlegroups.com | http://www.openwall.com/lists/oss-security/2023/09/20/5 | Mailing List, Third Party Advisory |
| jenkinsci-cert@googlegroups.com | https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261 | Vendor Advisory |
Impacted products
| Vendor | Product |
|---|---|
| Jenkins Project | Jenkins |
{
"containers": {
"adp": [
{
"providerMetadata": {
"dateUpdated": "2024-08-02T19:44:42.278Z",
"orgId": "af854a3a-2127-422b-91ae-364da2661108",
"shortName": "CVE"
},
"references": [
{
"name": "Jenkins Security Advisory 2023-09-20",
"tags": [
"vendor-advisory",
"x_transferred"
],
"url": "https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261"
},
{
"tags": [
"x_transferred"
],
"url": "http://www.openwall.com/lists/oss-security/2023/09/20/5"
}
],
"title": "CVE Program Container"
}
],
"cna": {
"affected": [
{
"defaultStatus": "affected",
"product": "Jenkins",
"vendor": "Jenkins Project",
"versions": [
{
"lessThan": "2.50",
"status": "unaffected",
"version": "0",
"versionType": "maven"
},
{
"lessThan": "*",
"status": "unaffected",
"version": "2.424",
"versionType": "maven"
},
{
"lessThan": "2.414.*",
"status": "unaffected",
"version": "2.414.2",
"versionType": "maven"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered."
}
],
"providerMetadata": {
"dateUpdated": "2023-10-24T12:51:59.931Z",
"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"shortName": "jenkins"
},
"references": [
{
"name": "Jenkins Security Advisory 2023-09-20",
"tags": [
"vendor-advisory"
],
"url": "https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261"
},
{
"url": "http://www.openwall.com/lists/oss-security/2023/09/20/5"
}
]
}
},
"cveMetadata": {
"assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b",
"assignerShortName": "jenkins",
"cveId": "CVE-2023-43494",
"datePublished": "2023-09-20T16:06:08.742Z",
"dateReserved": "2023-09-19T09:22:58.129Z",
"dateUpdated": "2024-08-02T19:44:42.278Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.1",
"meta": {
"nvd": "{\"cve\":{\"id\":\"CVE-2023-43494\",\"sourceIdentifier\":\"jenkinsci-cert@googlegroups.com\",\"published\":\"2023-09-20T17:15:11.667\",\"lastModified\":\"2023-09-25T13:43:35.503\",\"vulnStatus\":\"Analyzed\",\"descriptions\":[{\"lang\":\"en\",\"value\":\"Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.\"},{\"lang\":\"es\",\"value\":\"Jenkins 2.50 a 2.423 (ambos inclusive), LTS 2.60.1 a 2.414.1 (ambos inclusive) no excluye variables de compilaci\u00f3n confidenciales (por ejemplo, valores de par\u00e1metros de contrase\u00f1a) de la b\u00fasqueda en el widget del historial de compilaci\u00f3n, lo que permite a los atacantes con permiso de elemento/lectura. para obtener valores de variables sensibles utilizadas en compilaciones probando iterativamente diferentes caracteres hasta que se descubre la secuencia correcta.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"LOW\",\"integrityImpact\":\"NONE\",\"availabilityImpact\":\"NONE\",\"baseScore\":4.3,\"baseSeverity\":\"MEDIUM\"},\"exploitabilityScore\":2.8,\"impactScore\":1.4}]},\"weaknesses\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"NVD-CWE-noinfo\"}]}],\"configurations\":[{\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*\",\"versionStartIncluding\":\"2.50\",\"versionEndExcluding\":\"2.424\",\"matchCriteriaId\":\"5429075A-09F1-4F3C-A487-A9DF0A08B28B\"},{\"vulnerable\":true,\"criteria\":\"cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*\",\"versionStartIncluding\":\"2.60.1\",\"versionEndExcluding\":\"2.414.2\",\"matchCriteriaId\":\"9A7FCC84-AD94-48E6-AE0A-96C73A8E4614\"}]}]}],\"references\":[{\"url\":\"http://www.openwall.com/lists/oss-security/2023/09/20/5\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Mailing List\",\"Third Party Advisory\"]},{\"url\":\"https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261\",\"source\":\"jenkinsci-cert@googlegroups.com\",\"tags\":[\"Vendor Advisory\"]}]}}"
}
}
Loading...