CVE-2023-27904

2023-03-1021:15:15

[email protected]

web.nvd.nist.gov

190

cve-2023-27904

jenkins

lts

agent

error stack trace

information disclosure

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

5.2 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

27.3%

JSON

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers.

Affected configurations

NVD

Node

jenkinsjenkinsRange<2.375.4lts

jenkinsjenkinsRange<2.394-

CPENameOperatorVersion
jenkins:jenkinsjenkinslt2.375.4
jenkins:jenkinsjenkinslt2.394

CPE	Name	Operator	Version
jenkins:jenkins	jenkins	lt	2.375.4
jenkins:jenkins	jenkins	lt	2.394

CNA Affected

[
  {
    "defaultStatus": "affected",
    "product": "Jenkins",
    "vendor": "Jenkins Project",
    "versions": [
      {
        "lessThan": "*",
        "status": "unaffected",
        "version": "2.394",
        "versionType": "maven"
      },
      {
        "lessThan": "2.375.*",
        "status": "unaffected",
        "version": "2.375.4",
        "versionType": "maven"
      },
      {
        "lessThan": "2.387.*",
        "status": "unaffected",
        "version": "2.387.1",
        "versionType": "maven"
      }
    ]
  }
]