Description

Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/04/13/3

https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-3075

Related Vulnerabilities

CVE-2021-42357 Vulnerability in maven package org.apache.knox:gateway-service-knoxsso

CVE-2019-19771 Vulnerability in npm package bitcoisnj-lib

CVE-2022-40705 Vulnerability in maven package soap:soap

CVE-2020-2244 Vulnerability in maven package org.jenkins-ci.plugins:build-failure-analyzer

CVE-2020-16024 Vulnerability in npm package electron

Severity

High

Classification

CWE-319 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory