Security
Headlines
HeadlinesLatestCVEs

Headline

GHSA-pj95-ph4q-4qm4: Jenkins exposes multi-line secrets through error messages

Jenkins

Jenkins provides the secretTextarea form field for multi-line secrets.

Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.

This can result in exposure of multi-line secrets through those error messages, e.g., in the system log.

Jenkins 2.479, LTS 2.462.3 redacts multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.

ghsa
#git#java#maven
  1. GitHub Advisory Database
  2. GitHub Reviewed
  3. CVE-2024-47803

Jenkins exposes multi-line secrets through error messages

Moderate severity GitHub Reviewed Published Oct 2, 2024 to the GitHub Advisory Database • Updated Oct 2, 2024

Package

maven org.jenkins-ci.main:jenkins-core (Maven)

Affected versions

< 2.462.3

>= 2.466, < 2.479

Patched versions

2.462.3

2.479

Jenkins

Jenkins provides the secretTextarea form field for multi-line secrets.

Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.

This can result in exposure of multi-line secrets through those error messages, e.g., in the system log.

Jenkins 2.479, LTS 2.462.3 redacts multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.

References

  • https://nvd.nist.gov/vuln/detail/CVE-2024-47803
  • https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3451

Published to the GitHub Advisory Database

Oct 2, 2024

Related news

Red Hat Security Advisory 2024-8887-03

Red Hat Security Advisory 2024-8887-03 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.13. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include bypass and denial of service vulnerabilities.

Red Hat Security Advisory 2024-8886-03

Red Hat Security Advisory 2024-8886-03 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.12. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include bypass and denial of service vulnerabilities.

Red Hat Security Advisory 2024-8885-03

Red Hat Security Advisory 2024-8885-03 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.14. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include bypass and denial of service vulnerabilities.

Red Hat Security Advisory 2024-8884-03

Red Hat Security Advisory 2024-8884-03 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.15. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include bypass and denial of service vulnerabilities.