GHSA-v5hq-cqqr-6w4g

Source

https://github.com/advisories/GHSA-v5hq-cqqr-6w4g

Import Source

https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-v5hq-cqqr-6w4g/GHSA-v5hq-cqqr-6w4g.json

JSON Data

https://api.osv.dev/v1/vulns/GHSA-v5hq-cqqr-6w4g

Aliases

CVE-2023-30513

Published

2023-04-12T18:30:37Z

Modified

2023-11-08T04:12:23.384629Z

Severity

4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator

Summary

Jenkins Kubernetes Plugin does not properly mask credentials

Details

Multiple Jenkins plugins do not properly mask (i.e., replace with asterisks) credentials printed in the build log from Pipeline steps like sh and bat, when both of the following conditions are met:

The credentials are printed in build steps executing on an agent (typically inside a node block).
Push mode for durable task logging is enabled. This is a hidden option in Pipeline: Nodes and Processes that can be enabled through the Java system property org.jenkinsci.plugins.workflow.steps.durabletask.DurableTaskStep.USEWATCHING. It is also automatically enabled by some plugins, e.g., OpenTelemetry and Pipeline Logging over CloudWatch.

The following plugins are affected by this vulnerability:

Kubernetes 3909.v1f2c633e8590 and earlier (SECURITY-3079 / CVE-2023-30513)
Azure Key Vault 187.vacd5fecd198a and earlier (SECURITY-3051 / CVE-2023-30514)
Thycotic DevOps Secrets Vault 1.0.0 (SECURITY-3078 / CVE-2023-30515)

The following plugins have been updated to properly mask credentials in the build log when push mode for durable task logging is enabled:

Kubernetes 3910.ve59cec5e33ea_ (SECURITY-3079 / CVE-2023-30513)
Azure Key Vault 188.vf46b7fa846a_1 (SECURITY-3051 / CVE-2023-30514)

As of publication of this advisory, there is no fix available for the following plugin:

Thycotic DevOps Secrets Vault 1.0.0 (SECURITY-3078 / CVE-2023-30515)

Database specific

{
    "nvd_published_at": "2023-04-12T18:15:00Z",
    "github_reviewed_at": "2023-04-12T22:21:03Z",
    "severity": "MODERATE",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-319"
    ]
}

References

Affected packages

Maven / org.csanchez.jenkins.plugins:kubernetes

Package

Name: org.csanchez.jenkins.plugins:kubernetes; View open source insights on deps.dev
Purl: pkg:maven/org.csanchez.jenkins.plugins/kubernetes

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Fixed

3910.ve59cec5e33ea

Affected versions

0.*

0.1

0.2

0.3

0.4

0.4.1

0.5

0.6

0.7

0.8

0.9

0.10

0.11

0.12

1.*

1.0

1.1

1.1.1

1.1.2

1.1.3

1.1.4

1.2

1.2.1

1.3

1.3.1

1.3.2

1.3.3

1.4

1.4.1

1.5

1.5.1

1.5.2

1.6.0

1.6.1

1.6.2

1.6.3

1.6.4

1.7.0

1.7.1

1.8.0

1.8.1

1.8.2

1.8.3

1.8.4

1.9.0

1.9.1

1.9.2

1.9.3

1.10.0

1.10.1

1.10.2

1.11.0

1.12.0

1.12.1

1.12.2

1.12.3

1.12.4

1.12.5

1.12.6

1.12.7

1.12.8

1.12.9

1.13.0

1.13.1

1.13.2

1.13.3

1.13.4

1.13.5

1.13.6

1.13.7

1.13.8

1.13.9

1.14.0

1.14.1

1.14.2

1.14.3

1.14.4

1.14.5

1.14.6

1.14.8

1.14.9

1.15.0

1.15.1

1.15.2

1.15.3

1.15.4

1.15.5

1.15.6

1.15.7

1.15.8

1.15.9

1.15.10

1.16.0

1.16.1

1.16.2

1.16.3

1.16.4

1.16.5

1.16.6

1.16.7

1.17.0

1.17.1

1.17.2

1.17.3

1.18.0

1.18.1

1.18.2

1.18.3

1.19.0

1.19.1

1.19.2

1.19.3

1.20.0

1.20.1

1.20.2

1.21.0

1.21.1

1.21.2

1.21.3

1.21.4

1.21.5

1.21.6

1.22.0

1.22.1

1.22.2

1.22.3

1.22.4

1.22.5

1.22.6

1.23.0

1.23.1

1.23.2

1.23.3

1.23.4

1.24.0

1.24.1

1.25.0

1.25.1

1.25.2

1.25.3

1.25.4

1.25.4.1

1.25.5

1.25.6

1.25.7

1.26.0

1.26.1

1.26.2

1.26.3

1.26.4

1.26.5

1.26.6

1.27.0

1.27.1

1.27.1.1

1.27.2

1.27.3

1.27.4

1.27.5

1.27.6

1.27.7

1.27.8

1.28.0

1.28.1

1.28.2

1.28.3

1.28.4

1.28.5

1.28.6

1.28.7

1.29.0

1.29.1

1.29.2

1.29.3

1.29.4

1.29.5

1.29.6

1.29.7

1.30.0

1.30.1

1.30.2

1.30.3

1.30.4

1.30.5

1.30.6

1.30.7

1.30.8

1.30.9

1.30.10

1.30.11

1.31.0

1.31.1

1.31.2

1.31.3

3538.*

3538.v6b_005a_ddced1

3546.*

3546.v6103d89542d6

3568.*

3568.vde94f6b_41b_c8

3578.*

3578.vb_9a_92ea_9845a_

3580.*

3580.v78271e5631dc

3600.*

3600.v144b_cd192ca_a_

3622.*

3622.va_9dc5592b_10c

3636.*

3636.v84b_a_1dea_6240

3646.*

3646.va_b_469a_7666b_7

3651.*

3651.v908e7db_10d06

3663.*

3663.v1c1e0ec5b_650

3670.*

3670.v6ca_059233222

3670.3672.v0ec52a_286336

3690.*

3690.va_9ddf6635481

3697.*

3697.v771155683e38

3704.*

3704.va_08f0206b_95e

3706.*

3706.vdfb_d599579f3

3718.*

3718.ve44878b_12184

3724.*

3724.v0920c1e0ec69

3734.*

3734.v562b_b_a_627ea_c

3743.*

3743.v1fa_4c724c3b_7

3794.*

3794.v45d9da_33d7f1

3800.*

3800.v54b_077b_94b_a_4

3802.*

3802.vb_b_600831fcb_3

3834.*

3834.vdc85747145e6

3837.*

3837.vc555b_1e51272

3839.*

3839.v43e9e4931ccb

3842.*

3842.v7ff395ed0cf3

3845.*

3845.va_9823979a_744

3852.*

3852.v41ea_166a_ed1b_

3872.*

3872.v760b_4a_6c126b_

3883.*

3883.v4d70a_a_a_df034

3893.*

3893.v73d36f3b_9103

3896.*

3896.v19b_160fd9589

3900.*

3900.va_dce992317b_4

3900.3902.v10b_836a_c8c15

3909.*

3909.v1f2c633e8590