CVE-2023-43494Permissive Regular Expression in Jenkins

CWE-625Permissive Regular Expression6 documents6 sources
Severity
4.3MEDIUMNVD
EPSS
53.3%
top 2.02%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
1
Jenkins
Timeline
PublishedSep 20

Description

Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages1 packages

NVDjenkins/jenkins2.502.424+1

🔴Vulnerability Details

3
OSV
Jenkins does not exclude sensitive build variables from search2023-09-20
GHSA
Jenkins does not exclude sensitive build variables from search2023-09-20
CVEList
CVE-2023-43494: Jenkins 22023-09-20

📋Vendor Advisories

2
Jenkins
Jenkins Security Advisory 2023-09-202023-09-20
Red Hat
jenkins: Builds can be filtered by values of sensitive build variables2023-09-20