Description

Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/04/13/3

https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-3075

Related Vulnerabilities

CVE-2022-25927 Vulnerability in maven package org.webjars.npm:ua-parser-js

CVE-2020-5245 Vulnerability in maven package io.dropwizard:dropwizard-validation

CVE-2021-21290 Vulnerability in maven package io.netty:netty-transport-native-unix-common-tests

CVE-2021-43980 Vulnerability in maven package org.apache.tomcat:tomcat

CVE-2021-27906 Vulnerability in maven package org.apache.pdfbox:pdfbox

Severity

High

Classification

CWE-319 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory