GHSA-XFX3-CR74-X3CV

Vulnerability from github – Published: 2024-06-26 18:30 – Updated: 2024-11-06 14:27
VLAI?
Summary
Exposure of secrets through system log in Jenkins Structs Plugin
Details

Structs Plugin provides utility functionality used, e.g., in Pipeline to instantiate and configure build steps, typically before their execution.

When Structs Plugin 337.v1b_04ea_4df7c8 and earlier fails to configure a build step, it logs a warning message containing diagnostic information that may contain secrets passed as step parameters.

This can result in accidental exposure of secrets through the default system log.

Structs Plugin 338.v848422169819 inspects the types of actual parameters before logging these warning messages, and limits detailed diagnostic information to FINE level log messages if secrets are involved. These log messages are not displayed in the default Jenkins system log.

Severity ?
3.1 (Low)
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
2.3 (Low)
CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N
Show details on source website
To clipboard 

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.jenkins-ci.plugins:structs"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "0"
            },
            {
              "fixed": "338.v848422169819"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2024-39458"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-200",
      "CWE-209"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2024-06-26T20:03:44Z",
    "nvd_published_at": "2024-06-26T17:15:27Z",
    "severity": "LOW"
  },
  "details": "Structs Plugin provides utility functionality used, e.g., in Pipeline to instantiate and configure build steps, typically before their execution.\n\nWhen Structs Plugin 337.v1b_04ea_4df7c8 and earlier fails to configure a build step, it logs a warning message containing diagnostic information that may contain secrets passed as step parameters.\n\nThis can result in accidental exposure of secrets through the default system log.\n\nStructs Plugin 338.v848422169819 inspects the types of actual parameters before logging these warning messages, and limits detailed diagnostic information to FINE level log messages if secrets are involved. These log messages are not displayed in the default Jenkins system log.\n",
  "id": "GHSA-xfx3-cr74-x3cv",
  "modified": "2024-11-06T14:27:40Z",
  "published": "2024-06-26T18:30:28Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2024-39458"
    },
    {
      "type": "WEB",
      "url": "https://github.com/jenkinsci/structs-plugin/commit/84842216981976d920b568726f8590a7b39a56a1"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/jenkinsci/structs-plugin"
    },
    {
      "type": "WEB",
      "url": "https://www.jenkins.io/security/advisory/2024-06-26/#SECURITY-3371"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2024/06/26/2"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N",
      "type": "CVSS_V3"
    },
    {
      "score": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N",
      "type": "CVSS_V4"
    }
  ],
  "summary": "Exposure of secrets through system log in Jenkins Structs Plugin"
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.