GSA_kwCzR0hTQS1wajk1LXBoNHEtNHFtNM4AA_6u

Moderate CVSS: 5.3 EPSS: 0.00118% (0.31459 Percentile) EPSS:

Permalink JSON

Jenkins exposes multi-line secrets through error messages

Affected Packages	Affected Versions	Fixed Versions
maven:org.jenkins-ci.main:jenkins-core	>= 2.466, < 2.479, < 2.462.3	2.479, 2.462.3

Jenkins

Jenkins provides the secretTextarea form field for multi-line secrets.

Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.

This can result in exposure of multi-line secrets through those error messages, e.g., in the system log.

Jenkins 2.479, LTS 2.462.3 redacts multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.

References:

Identifiers

GHSA-pj95-ph4q-4qm4

CVE-2024-47803

Risk

Severity

Moderate

CVSS

CVSS Score: 5.3

CVSS vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS

EPSS Percentage: 0.00118

EPSS Percentile: 0.31459

Classification

General

Source

GitHub Advisory Database

Origin

Unspecified

Date and time

Published

11 months ago

Updated

11 months ago

API

JSON

ecosyste.ms

Data

Tools

Indexes

Applications

Experiments

Advisories