CVE-2024-47805

CWE-522Insufficiently Protected CredentialsCWE-200Information Exposure5 documents5 sources
Severity
7.5HIGH
EPSS
0.2%
top 52.57%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins CredentialsJenkins Project Jenkins Credentials Plugin
Timeline
PublishedOct 2

Description

Jenkins Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the `SecretBytes` type when accessing item `config.xml` via REST API or CLI.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

Mavenorg.jenkins-ci.plugins:credentials13721381.v2c3a+1
CVEListV5jenkins_project/jenkins_credentials_plugin1380.va_435002fa_924
NVDjenkins/credentials1371.vfee6b_095f0a_31380.va_435002fa_924+1

🔴Vulnerability Details

3
GHSA
Jenkins Credentials plugin reveals encrypted values of credentials to users with Extended Read permission2024-10-02
OSV
Jenkins Credentials plugin reveals encrypted values of credentials to users with Extended Read permission2024-10-02
CVEList
CVE-2024-47805: Jenkins Credentials Plugin 13802024-10-02

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2024-10-022024-10-02
CVE-2024-47805 (HIGH CVSS 7.5) | Jenkins Credentials Plugin 1380.va_ | cvebase.io