Headline
GHSA-pj95-ph4q-4qm4: Jenkins exposes multi-line secrets through error messages
Jenkins
Jenkins provides the secretTextarea
form field for multi-line secrets.
Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea
form field.
This can result in exposure of multi-line secrets through those error messages, e.g., in the system log.
Jenkins 2.479, LTS 2.462.3 redacts multi-line secret values in error messages generated for form submissions involving the secretTextarea
form field.
- GitHub Advisory Database
- GitHub Reviewed
- CVE-2024-47803
Jenkins exposes multi-line secrets through error messages
Moderate severity GitHub Reviewed Published Oct 2, 2024 to the GitHub Advisory Database • Updated Oct 2, 2024
Package
maven org.jenkins-ci.main:jenkins-core (Maven)
Affected versions
< 2.462.3
>= 2.466, < 2.479
Patched versions
2.462.3
2.479
Jenkins
Jenkins provides the secretTextarea form field for multi-line secrets.
Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.
This can result in exposure of multi-line secrets through those error messages, e.g., in the system log.
Jenkins 2.479, LTS 2.462.3 redacts multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.
References
- https://nvd.nist.gov/vuln/detail/CVE-2024-47803
- https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3451
Published to the GitHub Advisory Database
Oct 2, 2024
Related news
Red Hat Security Advisory 2024-8887-03 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.13. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include bypass and denial of service vulnerabilities.
Red Hat Security Advisory 2024-8886-03 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.12. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include bypass and denial of service vulnerabilities.
Red Hat Security Advisory 2024-8885-03 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.14. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include bypass and denial of service vulnerabilities.
Red Hat Security Advisory 2024-8884-03 - An update for Openshift Jenkins is now available for Red Hat Product OCP Tools 4.15. Red Hat Product Security has rated this update as having a security impact of important. A Common Vulnerability Scoring System base score, which gives a detailed severity rating, is available for each vulnerability from the CVE link in the References section. Issues addressed include bypass and denial of service vulnerabilities.