CVE-2023-40339

Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log.
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
7.5 HIGH
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Base Score
CVSS 3.x
EPSS Score
Percentile: Unknown
Affected Products (NVD)
VendorProductVersion
jenkinsconfig_file_provider
𝑥
≤ 952.va_544a_6234b_46
𝑥
= Vulnerable software versions
Early Detection
Affected products identified ahead of NVD analysis through intelligence sources.
VendorProductVersionSource
jenkins_projectjenkins_config_file_provider_plugin
953.v0432a_802e4d2 ≤
𝑥
< *
ADP
References
http://www.openwall.com/lists/oss-security/2023/08/16/3
https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3090
http://www.openwall.com/lists/oss-security/2023/08/16/3
https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3090