Bug 2232423 (CVE-2023-40339)

Summary: CVE-2023-40339 jenkins-plugins: config-file-provider: Improper masking of credentials in Config File Provider Plugin
Product: [Other] Security Response Reporter: Zack Miele <zmiele>
Component: vulnerabilityAssignee: Sayan Biswas <sabiswas>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asatyam, dfreiber, diagrawa, ellin, jburrell, rogbas, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Config File Provider Plugin 953.v0432a_802e4d2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in the Config File Provider Jenkins Plugin. Affected versions of this plugin do not mask (replace with asterisks) credentials specified in configuration files when they're written to the build log.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2232427    

Description Zack Miele 2023-08-16 19:46:09 UTC 
Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log.

https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3090
Comment 3 errata-xmlrpc 2024-02-12 10:25:35 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.14

Via RHSA-2024:0777 https://access.redhat.com/errata/RHSA-2024:0777
Comment 4 errata-xmlrpc 2024-02-12 10:37:12 UTC 
This issue has been addressed in the following products:

  OpenShift Developer Tools and Services for OCP 4.12

Via RHSA-2024:0778 https://access.redhat.com/errata/RHSA-2024:0778