Description
Jenkins Configuration as Code Plugin 1.24 and earlier did not escape values resulting in variable interpolation during configuration import when exporting, allowing attackers with permission to change Jenkins system configuration to obtain the values of environment variables.
Remediation
References
https://jenkins.io/security/advisory/2019-07-31/#SECURITY-1446
http://www.openwall.com/lists/oss-security/2019/07/31/1
Related Vulnerabilities
CVE-2023-31062 Vulnerability in maven package org.apache.inlong:manager-pojo
CVE-2022-26112 Vulnerability in maven package org.apache.pinot:pinot-controller
CVE-2022-45391 Vulnerability in maven package io.jenkins.plugins:cavisson-ns-nd-integration
CVE-2022-23461 Vulnerability in maven package org.webjars.npm:jodit
CVE-2019-10392 Vulnerability in maven package org.jenkins-ci.plugins:git-client