Insufficient Credential Masking in Jenkins Azure Key Vault Plugin
CVE-2023-30514

7.5HIGH

Key Information:

Vendor: Jenkins
Status: Jenkins Azure Key Vault Plugin
Vendor: CVE Published:; 12 April 2023

Summary

The Azure Key Vault Plugin for Jenkins presents a security challenge due to its inadequate masking of sensitive credentials within the build log. When the push mode for durable task logging is activated, the plugin fails to conceal credentials effectively, leaving them exposed in logs. This oversight can lead to unauthorized access and data leakage, posing a risk to organizations relying on this integration for secure key management.

Affected Version(s)

Jenkins Azure Key Vault Plugin 0 <= 187.va_cd5fecd198a_

References

https://www.jenkins.io/security/advisory/2023-04-12/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/04/13/3

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 12, 2023
Vulnerability Reserved
Apr 12, 2023