GHSA-279f-qwgh-h5mp

Suggest an improvement
Source
https://github.com/advisories/GHSA-279f-qwgh-h5mp
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/09/GHSA-279f-qwgh-h5mp/GHSA-279f-qwgh-h5mp.json
JSON Data
https://api.test.osv.dev/v1/vulns/GHSA-279f-qwgh-h5mp
Aliases
Published
2023-09-20T18:30:21Z
Modified
2024-11-30T05:27:16.178002Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Jenkins does not exclude sensitive build variables from search
Details

Jenkins allows filtering builds in the build history widget by specifying an expression that searches for matching builds by name, description, parameter values, etc.

Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from this search.

This allows attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.

Jenkins 2.424, LTS 2.414.2 excludes sensitive variables from this search.

Database specific
{
    "nvd_published_at": "2023-09-20T17:15:11Z",
    "cwe_ids": [],
    "severity": "MODERATE",
    "github_reviewed": true,
    "github_reviewed_at": "2023-09-21T16:55:44Z"
}
References

Affected packages

Maven / org.jenkins-ci.main:jenkins-core

Package

Name
org.jenkins-ci.main:jenkins-core
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.main/jenkins-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.50
Fixed
2.414.2

Affected versions

2.*

2.50
2.51
2.52
2.53
2.54
2.55
2.56
2.57
2.58
2.59
2.60
2.60.1
2.60.2
2.60.3
2.61
2.62
2.63
2.64
2.65
2.66
2.67
2.68
2.69
2.70
2.71
2.72
2.73
2.73.1
2.73.2
2.73.3
2.74
2.75
2.76
2.77
2.78
2.79
2.80
2.81
2.82
2.83
2.84
2.85
2.86
2.87
2.88
2.89
2.89.1
2.89.2
2.89.3
2.89.4
2.90
2.91
2.92
2.93
2.94
2.95
2.96
2.97
2.98
2.99
2.100
2.101
2.102
2.103
2.104
2.105
2.106
2.107
2.107.1
2.107.2
2.107.3
2.108
2.109
2.110
2.111
2.112
2.113
2.114
2.115
2.116
2.117
2.118
2.119
2.120
2.121
2.121.1
2.121.2
2.121.3
2.122
2.123
2.124
2.125
2.126
2.127
2.128
2.129
2.130
2.131
2.132
2.133
2.134
2.135
2.136
2.137
2.138
2.138.1
2.138.2
2.138.3
2.138.4
2.140
2.141
2.142
2.143
2.144
2.145
2.146
2.147
2.148
2.149
2.150
2.150.1
2.150.2
2.150.3
2.151
2.152
2.153
2.154
2.155
2.156
2.157
2.158
2.159
2.160
2.161
2.162
2.163
2.164
2.164.1
2.164.2
2.164.3
2.165
2.166
2.167
2.168
2.169
2.170
2.171
2.172
2.173
2.174
2.175
2.176
2.176.1
2.176.2
2.176.3
2.176.4
2.177
2.178
2.179
2.180
2.181
2.182
2.183
2.184
2.185
2.186
2.187
2.189
2.190
2.190.1
2.190.2
2.190.3
2.191
2.192
2.193
2.194
2.195
2.196
2.197
2.198
2.199
2.200
2.201
2.202
2.203
2.204
2.204.1
2.204.2
2.204.3
2.204.4
2.204.5
2.204.6
2.205
2.206
2.207
2.208
2.209
2.210
2.211
2.212
2.213
2.214
2.215
2.216
2.217
2.218
2.219
2.220
2.221
2.222
2.222.1
2.222.3
2.222.4
2.223
2.224
2.225
2.226
2.227
2.228
2.229
2.230
2.231
2.232
2.233
2.234
2.235
2.235.1
2.235.2
2.235.3
2.235.4
2.235.5
2.236
2.237
2.238
2.239
2.240
2.241
2.242
2.243
2.244
2.245
2.246
2.247
2.248
2.249
2.249.1
2.249.2
2.249.3
2.250
2.251
2.252
2.253
2.254
2.255
2.256
2.257
2.258
2.259
2.260
2.261
2.262
2.263
2.263.1
2.263.2
2.263.3
2.263.4
2.264
2.265
2.266
2.267
2.268
2.269
2.270
2.271
2.272
2.273
2.274
2.275
2.276
2.277
2.277.1
2.277.2
2.277.3
2.277.4
2.278
2.279
2.280
2.281
2.282
2.283
2.284
2.285
2.286
2.287
2.288
2.289
2.289.1
2.289.2
2.289.3
2.290
2.291
2.292
2.293
2.294
2.295
2.296
2.297
2.298
2.299
2.300
2.301
2.302
2.303
2.303.1
2.303.2
2.303.3
2.304
2.305
2.306
2.307
2.308
2.309
2.311
2.312
2.313
2.314
2.315
2.316
2.317
2.318
2.319
2.319.1
2.319.2
2.319.3
2.320
2.321
2.322
2.323
2.324
2.325
2.326
2.327
2.328
2.329
2.330
2.331
2.332
2.332.1
2.332.2
2.332.3
2.332.4
2.333
2.334
2.335
2.336
2.337
2.338
2.339
2.340
2.341
2.342
2.343
2.344
2.345
2.346
2.346.1
2.346.2
2.346.3
2.347
2.348
2.349
2.350
2.354
2.355
2.356
2.357
2.358
2.359
2.360
2.361
2.361.1
2.361.2
2.361.3
2.361.4
2.362
2.363
2.364
2.365
2.366
2.367
2.368
2.369
2.370
2.371
2.372
2.373
2.374
2.375
2.375.1
2.375.2
2.375.3
2.375.4
2.376
2.377
2.378
2.379
2.380
2.381
2.382
2.383
2.384
2.385
2.386
2.387
2.387.1
2.387.2
2.387.3
2.388
2.389
2.390
2.391
2.392
2.393
2.394
2.395
2.396
2.397
2.398
2.399
2.400
2.401
2.401.1
2.401.2
2.401.3
2.402
2.403
2.404
2.405
2.406
2.407
2.409
2.410
2.411
2.412
2.413
2.414
2.414.1

Maven / org.jenkins-ci.main:jenkins-core

Package

Name
org.jenkins-ci.main:jenkins-core
View open source insights on deps.dev
Purl
pkg:maven/org.jenkins-ci.main/jenkins-core

Affected ranges

Type
ECOSYSTEM
Events
Introduced
2.415
Fixed
2.424

Affected versions

2.*

2.415
2.416
2.417
2.418
2.419
2.420
2.421
2.422
2.423