Description
Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs.
Remediation
References
https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3196
http://www.openwall.com/lists/oss-security/2023/08/16/3
Related Vulnerabilities
CVE-2020-6950 Vulnerability in maven package org.glassfish:jakarta.faces
CVE-2020-2253 Vulnerability in maven package org.jenkins-ci.plugins:email-ext
CVE-2017-2613 Vulnerability in maven package org.jenkins-ci.main:jenkins-core
CVE-2022-24814 Vulnerability in npm package directus
CVE-2021-37404 Vulnerability in maven package org.apache.hadoop:hadoop-hdfs-native-client