Information Disclosure in Jenkins Due to Unredacted Multi-Line Secrets
CVE-2024-47803

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins
Vendor: CVE Published:; 2 October 2024

Summary

A vulnerability in Jenkins allows for the potential disclosure of sensitive multi-line secret values in error messages. When users submit forms that involve the secretTextarea form field, the system fails to appropriately redact the secrets, exposing confidential information unintentionally. This flaw affects Jenkins versions 2.478 and earlier and LTS version 2.462.2 and earlier, thus representing a risk for users who manage sensitive data within their Jenkins environments. It underscores the need for immediate action to mitigate risks associated with accidental information leakage.

References

https://www.jenkins.io/security/advisory/2024-10-02/#SECU...

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 2, 2024