2232423 – (CVE-2023-40339) CVE-2023-40339 jenkins-plugins: config-file-provider: Improper masking of credentials in Config File Provider Plugin

Bug 2232423 (CVE-2023-40339) - CVE-2023-40339 jenkins-plugins: config-file-provider: Improper masking of credentials in Config File Provider Plugin

Summary: CVE-2023-40339 jenkins-plugins: config-file-provider: Improper masking of cre...

Keywords:
Status:	NEW
Alias:	CVE-2023-40339
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2232427
TreeView+	depends on / blocked

Reported:	2023-08-16 19:46 UTC by Zack Miele
Modified:	2023-08-17 18:32 UTC (History)
CC List:	10 users (show)
Fixed In Version:	Config File Provider Plugin 953.v0432a_802e4d2
Doc Type:	If docs needed, set a value
Doc Text:	A flaw was found in the Config File Provider Jenkins Plugin. Affected versions of this plugin do not mask (replace with asterisks) credentials specified in configuration files when they're written to the build log.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Description Zack Miele 2023-08-16 19:46:09 UTC

Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log.

https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3090

Note You need to log in before you can comment on or make changes to this bug.