GHSA-62jv-j4w7-5hh8

Source

https://github.com/advisories/GHSA-62jv-j4w7-5hh8

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2024/10/GHSA-62jv-j4w7-5hh8/GHSA-62jv-j4w7-5hh8.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-62jv-j4w7-5hh8

Aliases

CVE-2024-47805

Published

2024-10-02T18:31:32Z

Modified

2024-11-13T19:23:47.855908Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
5.3 (Medium) CVSS_V4 - CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N CVSS Calculator

Summary

Jenkins Credentials plugin reveals encrypted values of credentials to users with Extended Read permission

Details

Jenkins Credentials Plugin 1380.va435002fa924 and earlier, except 1371.1373.v4ebfab_7161e9, does not redact encrypted values of credentials using the SecretBytes type (e.g., Certificate credentials, or Secret file credentials from Plain Credentials Plugin) when accessing item config.xml via REST API or CLI.

This allows attackers with Item/Extended Read permission to view encrypted SecretBytes values in credentials.

This issue is similar to SECURITY-266 in the 2016-05-11 security advisory, which applied to the Secret type used for inline secrets and some credentials types.

Credentials Plugin 1381.v2c3a12074dab_ redacts the encrypted values of credentials using the SecretBytes type in item config.xml files.

This fix is only effective on Jenkins 2.479 and newer, LTS 2.462.3 and newer. While Credentials Plugin 1381.v2c3a12074dab_ can be installed on Jenkins 2.463 through 2.478 (both inclusive), encrypted values of credentials using the SecretBytes type will not be redacted when accessing item config.xml via REST API or CLI.

Database specific

{
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-200",
        "CWE-522"
    ],
    "nvd_published_at": "2024-10-02T16:15:10Z",
    "github_reviewed_at": "2024-10-02T21:50:48Z"
}

References

Affected packages

Maven / org.jenkins-ci.plugins:credentials

Package

Name: org.jenkins-ci.plugins:credentials; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/credentials

Affected ranges

Type: ECOSYSTEM
Events: Introduced

1372

Fixed

1381.v2c3a

Affected versions

1378.*

1378.v81ef4269d764

1380.*

1380.va_435002fa_924

Maven / org.jenkins-ci.plugins:credentials

Package

Name: org.jenkins-ci.plugins:credentials; View open source insights on deps.dev
Purl: pkg:maven/org.jenkins-ci.plugins/credentials

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

1371.1373.v4eb

Affected versions

1.*

1.0

1.1

1.2

1.3

1.3.1

1.4

1.5

1.6

1.7

1.7.1

1.7.2

1.7.3

1.7.4

1.7.5

1.7.6

1.8

1.8.1

1.8.2

1.8.3

1.8.4

1.9

1.9.1

1.9.2

1.9.3

1.9.4

1.10

1.11

1.12

1.13

1.14

1.15

1.16

1.16.1

1.17

1.18

1.19

1.20

1.21

1.22

1.23

1.24

1.25

1.26

1.27

1.28

2.*

2.0

2.0.1

2.0.2

2.0.3

2.0.4

2.0.5

2.0.6

2.0.7

2.1.0

2.1.1

2.1.2

2.1.3

2.1.4

2.1.5

2.1.6

2.1.7

2.1.8

2.1.9

2.1.10

2.1.11

2.1.12

2.1.13

2.1.14

2.1.15

2.1.16

2.1.17

2.1.18

2.1.19

2.2.0

2.2.1

2.3.0

2.3.0.1

2.3.1

2.3.2

2.3.3

2.3.4

2.3.5

2.3.6

2.3.7

2.3.7.1

2.3.8

2.3.9

2.3.10

2.3.11

2.3.12

2.3.13

2.3.13.1

2.3.14

2.3.14.1

2.3.15

2.3.15.1

2.3.17

2.3.18

2.3.19

2.4

2.4.0.1

2.4.1

2.5

2.6

2.6.1

2.6.1.1

2.6.2

1055.*

1055.v1346ba467ba1

1061.*

1061.vb_1fceb_58fa_18

1074.*

1074.v60e6c29b_b_44b_

1074.1076.v39c30cecb_0e2

1087.*

1087.v16065d268466

1087.1089.v2f1b_9a_b_040e4

1105.*

1105.vb_4e24a_c78b_81

1111.*

1111.v35a_307992395

1112.*

1112.vc87b_7a_3597f6

1118.*

1118.v320cd028cb_a_0

1126.*

1126.ve05618c41e62

1129.*

1129.vef26f5df883c

1139.*

1139.veb_9579fca_33b_

1143.*

1143.vb_e8b_b_ceee347

1189.*

1189.vf61b_a_5e2f62e

1214.*

1214.v1de940103927

1224.*

1224.vc23ca_a_9a_2cb_0

1236.*

1236.v31e44e6060c0

1254.*

1254.vb_96f366e7b_a_d

1268.*

1268.v3f0d043d60e9

1271.*

1271.v54b_1c2c6388a_

1290.*

1290.v2e5b_13eb_b_127

1293.*

1293.vff276f713473

1304.*

1304.v5ec13eecef46

1305.*

1305.v04f5ec1f3743

1307.*

1307.v3757c78f17c3

1309.*

1309.v8835d63eb_d8a_

1311.*

1311.vcf0a_900b_37c2

1317.*

1317.v0ce519a_92b_3e

1319.*

1319.v7eb_51b_3a_c97b_

1337.*

1337.v60b_d7b_c7b_c9f

1344.*

1344.v5a_3f65a_1e173

1350.*

1350.v1b_df4d227d1b_

1355.*

1355.v46f52a_b_98d64

1361.*

1361.v56f5ca_35d21c

1371.*

1371.vfee6b_095f0a_3