CVE-2023-43494 - OpenCVE

Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

Vendors & Products
CPE Configurations

Vendors	Products
Jenkins	Jenkins

Configuration 1 [-]

OR	cpe:2.3:a:jenkins:jenkins:::::-:::*
	cpe:2.3:a:jenkins:jenkins:::::lts:::*

References

Link	Resource
http://www.openwall.com/lists/oss-security/2023/09/20/5	Mailing List Third Party Advisory
https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261	Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: jenkins

Published: 2023-09-20T16:06:08.742Z

Updated: 2023-10-24T12:51:59.931Z

Reserved: 2023-09-19T09:22:58.129Z

Link: CVE-2023-43494

JSON object: View

NVD Information

Status : Analyzed

Published: 2023-09-20T17:15:11.667

Modified: 2023-09-25T13:43:35.503

Link: CVE-2023-43494

JSON object: View

Redhat Information

No data.

CWE

NVD-CWE-noinfo

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "matchCriteriaId": "5429075A-09F1-4F3C-A487-A9DF0A08B28B", "versionEndExcluding": "2.424", "versionStartIncluding": "2.50", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "9A7FCC84-AD94-48E6-AE0A-96C73A8E4614", "versionEndExcluding": "2.414.2", "versionStartIncluding": "2.60.1", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered."}, {"lang": "es", "value": "Jenkins 2.50 a 2.423 (ambos inclusive), LTS 2.60.1 a 2.414.1 (ambos inclusive) no excluye variables de compilaci\u00f3n confidenciales (por ejemplo, valores de par\u00e1metros de contrase\u00f1a) de la b\u00fasqueda en el widget del historial de compilaci\u00f3n, lo que permite a los atacantes con permiso de elemento/lectura. para obtener valores de variables sensibles utilizadas en compilaciones probando iterativamente diferentes caracteres hasta que se descubre la secuencia correcta."}], "id": "CVE-2023-43494", "lastModified": "2023-09-25T13:43:35.503", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-09-20T17:15:11.667", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/09/20/5"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}