CVE-2023-43494

medium

Description

Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.

References

https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261

http://www.openwall.com/lists/oss-security/2023/09/20/5

Details

Source: Mitre, NVD

Published: 2023-09-20

Updated: 2023-09-25

Risk Information

CVSS v2

Base Score: 4

Vector: CVSS2#AV:N/AC:L/Au:S/C:P/I:N/A:N

Severity: Medium

CVSS v3

Base Score: 4.3

Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N