Lucene search

Veracode Vulnerability DatabaseVERACODE:43366

HistorySep 25, 2023 - 8:27 a.m.

Sensitive Information Exposure

2023-09-2508:27:28

Veracode Vulnerability Database

sca.analysiscenter.veracode.com

jenkins-core

sensitive information exposure

historypagefilter.java

build variables

item/read permission

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.0004 Low

EPSS

Percentile

13.4%

JSON

jenkins-core is vulnerable to Sensitive Information Exposure. The vulnerability is due to the fitsSearchBuildVariables method in HistoryPageFilter.java. This method handles all build variables the same way without considering it’s sensitivity which can lead attackers with Item/Read permission to obtain sensitive variables values used in builds.

CPENameOperatorVersion
jenkins corele2.423
jenkins corele2.414.1
org.jenkins-ci.main:jenkins-corele2.423
org.jenkins-ci.main:jenkins-corele2.414.1

Name	Operator	Version
jenkins core	le	2.423
jenkins core	le	2.414.1
org.jenkins-ci.main:jenkins-core	le	2.423
org.jenkins-ci.main:jenkins-core	le	2.414.1

References

www.openwall.com/lists/oss-security/2023/09/20/5

github.com/advisories/GHSA-279f-qwgh-h5mp

github.com/jenkinsci/jenkins/commit/59dc0585831ef35d64fb0c550559f97184471e7e

github.com/jenkinsci/jenkins/commit/b8ac8cd4c51511b9f844846ba80a8aed054288c5

www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

0.0004 Low

EPSS

Percentile

13.4%

JSON

Related for VERACODE:43366