Ecosyste.ms: Advisories
An open API service providing security vulnerability metadata for many open source software ecosystems.
Security Advisories: GSA_kwCzR0hTQS02Mmp2LWo0dzctNWhoOM4AA_6s
Jenkins Credentials plugin reveals encrypted values of credentials to users with Extended Read permission
Jenkins Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the SecretBytes type (e.g., Certificate credentials, or Secret file credentials from Plain Credentials Plugin) when accessing item config.xml via REST API or CLI.
This allows attackers with Item/Extended Read permission to view encrypted SecretBytes values in credentials.
This issue is similar to SECURITY-266 in the 2016-05-11 security advisory, which applied to the Secret type used for inline secrets and some credentials types.
Credentials Plugin 1381.v2c3a_12074da_b_ redacts the encrypted values of credentials using the SecretBytes type in item config.xml files.
This fix is only effective on Jenkins 2.479 and newer, LTS 2.462.3 and newer. While Credentials Plugin 1381.v2c3a_12074da_b_ can be installed on Jenkins 2.463 through 2.478 (both inclusive), encrypted values of credentials using the SecretBytes type will not be redacted when accessing item config.xml via REST API or CLI.
JSON: https://advisories.ecosyste.ms/api/v1/advisories/GSA_kwCzR0hTQS02Mmp2LWo0dzctNWhoOM4AA_6s
Source: GitHub Advisory Database
Origin: Unspecified
Severity: Moderate
Classification: General
Published: 19 days ago
Updated: 13 days ago
CVSS Score: 4.3
CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Identifiers: GHSA-62jv-j4w7-5hh8, CVE-2024-47805
References:
- https://nvd.nist.gov/vuln/detail/CVE-2024-47805
- https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3373
- https://github.com/advisories/GHSA-62jv-j4w7-5hh8
Affected Packages
maven:org.jenkins-ci.plugins:credentials
Affected Version Ranges: >= 1372, < 1381.v2c3a, < 1371.1373.v4ebFixed in: 1381.v2c3a, 1371.1373.v4eb