Lucene search

GitHub Advisory DatabaseGHSA-RRGP-C2W8-6VG6

HistoryMar 10, 2023 - 9:30 p.m.

Information disclosure through error stack traces related to agents

2023-03-1021:30:19

GitHub Advisory Database

github.com

information disclosure

error stack traces

agent connections

jenkins configuration

attackers

software

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

27.3%

JSON

Jenkins 2.393 and earlier, LTS 2.375.3 and earlier, and prior to LTS 2.387.1 prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers.

Jenkins 2.394, LTS 2.375.4, and LTS 2.387.1 does not display error stack traces when agent connections are broken.

Affected configurations

Vulners

Node

org.jenkins-ci.main\Matchjenkins-core

CPENameOperatorVersion
org.jenkins-ci.main:jenkins-corelt2.394
org.jenkins-ci.main:jenkins-corelt2.387.1
org.jenkins-ci.main:jenkins-corelt2.375.4

Name	Operator	Version
org.jenkins-ci.main:jenkins-core	lt	2.394
org.jenkins-ci.main:jenkins-core	lt	2.387.1
org.jenkins-ci.main:jenkins-core	lt	2.375.4

References

github.com/advisories/GHSA-rrgp-c2w8-6vg6

github.com/CVEProject/cvelist/blob/master/2023/27xxx/CVE-2023-27904.json

github.com/jenkinsci/jenkins/commit/40663588eea4ac953209bd8845b6b880792f92cc

nvd.nist.gov/vuln/detail/CVE-2023-27904

www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

27.3%

JSON

Related for GHSA-RRGP-C2W8-6VG6