Description

Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

Remediation

References

https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-3075

http://www.openwall.com/lists/oss-security/2023/04/13/3

Related Vulnerabilities

CVE-2023-30514 Vulnerability in maven package org.jenkins-ci.plugins:azure-keyvault

CVE-2017-15703 Vulnerability in maven package org.apache.nifi:nifi-framework-cluster

CVE-2022-24816 Vulnerability in maven package it.geosolutions.jaiext.jiffle:jt-jiffle-language

CVE-2018-1287 Vulnerability in maven package org.apache.jmeter:apachejmeter

CVE-2023-30519 Vulnerability in maven package org.jenkins-ci.plugins:quayio-trigger

Severity

High

Classification

CWE-319 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory