Credential Exposure in Jenkins Git Plugin by CloudBees
CVE-2022-38663

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Git Plugin
Vendor: CVE Published:; 23 August 2022

What is CVE-2022-38663?

The Jenkins Git Plugin prior to version 4.11.5 improperly masks sensitive credentials in build logs. Specifically, the Git Username and Password (gitUsernamePassword) credentials binding fails to replace these credentials with asterisks, potentially exposing them to unauthorized users. This vulnerability could lead to sensitive information leakage, putting affected systems at risk. It's crucial for users of the Jenkins Git Plugin to upgrade to the latest version to mitigate exposure risks associated with this issue.

Affected Version(s)

Jenkins Git Plugin <= 4.11.4

Jenkins Git Plugin 4.9.4

References

https://www.jenkins.io/security/advisory/2022-08-23/#SECU...

x_refsource_CONFIRM

http://www.openwall.com/lists/oss-security/2022/08/23/2

mailing-listx_refsource_MLIST

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Aug 23, 2022
Vulnerability Reserved
Aug 22, 2022