Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS01amM1LW04N3gtODhmas4AA05e
Secret displayed without masking by Chef Identity Plugin
Chef Identity Plugin stores the user.pem key in its global configuration file io.chef.jenkins.ChefIdentityBuildWrapper.xml on the Jenkins controller as part of its configuration.
While this key is stored encrypted on disk, in Chef Identity Plugin 2.0.3 and earlier the global configuration form does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.
Permalink: https://github.com/advisories/GHSA-5jc5-m87x-88fjJSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS01amM1LW04N3gtODhmas4AA05e
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Low
Classification: General
Published: 9 months ago
Updated: 6 months ago
CVSS Score: 3.1
CVSS vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N
Identifiers: GHSA-5jc5-m87x-88fj, CVE-2023-39155
References:
- https://nvd.nist.gov/vuln/detail/CVE-2023-39155
- https://www.jenkins.io/security/advisory/2023-07-26/#SECURITY-3192
- http://www.openwall.com/lists/oss-security/2023/07/26/2
- https://github.com/advisories/GHSA-5jc5-m87x-88fj
Affected Packages
maven:org.jenkins-ci.plugins:chef-identity
Affected Version Ranges: <= 2.0.3No known fixed version