Description

Jenkins Thycotic DevOps Secrets Vault Plugin 1.0.0 and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/04/13/3

https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-3075

Related Vulnerabilities

CVE-2023-25570 Vulnerability in maven package com.ctrip.framework.apollo:apollo

CVE-2023-37955 Vulnerability in maven package org.jenkins-ci.plugins:test-results-aggregator

CVE-2023-37965 Vulnerability in maven package org.jenkins-ci.plugins:elasticbox

CVE-2020-6506 Vulnerability in npm package react-native-webview

CVE-2021-44791 Vulnerability in maven package org.apache.druid:druid

Severity

High

Classification

CWE-319 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory