CVE-2023-43494

MEDIUM severity · CVSS 4.3

4.3CVSS MEDIUM

Summary

Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.

Impact & exploitability

Attack vectorNetwork

Attack complexityLow

Privileges requiredLow

User interactionNone

Confidentiality impactLow

Integrity impactNone

Availability impactNone

Exploit probability (EPSS)49%

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Affected products we track (1)

Jenkins

Recommendation

Apply the vendor fix in your normal patch cycle. Open any affected product above for its exact safe version.

Additional information

NVD record
https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261Advisory
https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261Advisory
http://www.openwall.com/lists/oss-security/2023/09/20/5Advisory
http://www.openwall.com/lists/oss-security/2023/09/20/5Advisory