Bug 2239934 (CVE-2023-43494) - CVE-2023-43494 jenkins: Builds can be filtered by values of sensitive build variables
Summary: CVE-2023-43494 jenkins: Builds can be filtered by values of sensitive build v...
Keywords:
Status: NEW
Alias: CVE-2023-43494
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Sayan Biswas
QA Contact:
URL:
Whiteboard:
Depends On:
Blocks: 2240098
TreeView+ depends on / blocked
 
Reported: 2023-09-20 21:06 UTC by Pedro Sampaio
Modified: 2024-05-02 18:49 UTC (History)
7 users (show)

Fixed In Version: jenkins 2.424, jenkins LTS 2.414.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Jenkins weekly and LTS caused by not excluding sensitive build variables when filtering builds in the build history widget. By sending a specially crafted request, a remote, authenticated attacker could obtain values of sensitive variables used in builds and use this information to launch further attacks against the affected system.
Clone Of:
Environment:
Last Closed:
Embargoed:


Attachments (Terms of Use)

Description Pedro Sampaio 2023-09-20 21:06:37 UTC
Jenkins allows filtering builds in the build history widget by specifying an expression that searches for matching builds by name, description, parameter values, etc.

Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from this search.

This allows attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.

Jenkins 2.424, LTS 2.414.2 excludes sensitive variables from this search.

References:

https://www.jenkins.io/security/advisory/2023-09-20/


Note You need to log in before you can comment on or make changes to this bug.