Bug 2239934 (CVE-2023-43494)

Summary: CVE-2023-43494 jenkins: Builds can be filtered by values of sensitive build variables
Product: [Other] Security Response Reporter: Pedro Sampaio <psampaio>
Component: vulnerabilityAssignee: Sayan Biswas <sabiswas>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: asatyam, dfreiber, diagrawa, jburrell, rogbas, vkumar
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: jenkins 2.424, jenkins LTS 2.414.2 Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Jenkins weekly and LTS caused by not excluding sensitive build variables when filtering builds in the build history widget. By sending a specially crafted request, a remote, authenticated attacker could obtain values of sensitive variables used in builds and use this information to launch further attacks against the affected system.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2240098    

Description Pedro Sampaio 2023-09-20 21:06:37 UTC 
Jenkins allows filtering builds in the build history widget by specifying an expression that searches for matching builds by name, description, parameter values, etc.

Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from this search.

This allows attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.

Jenkins 2.424, LTS 2.414.2 excludes sensitive variables from this search.

References:

https://www.jenkins.io/security/advisory/2023-09-20/