CVE-2023-43494

Name
CVE-2023-43494
Description
Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.
NVD Severity
medium
Other trackers
Mailing lists
Exploits
Forges
GitHub (code, issues), Aports (code, issues)

References

Type URI
MISC https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261
MISC http://www.openwall.com/lists/oss-security/2023/09/20/5

Match rules

CPE URI Source package Min version Max version
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:* jenkins >= 2.60.1 < 2.414.2
cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:* jenkins >= 2.50 < 2.424

Vulnerable and fixed packages

Source package Branch Version Maintainer Status
jenkins 3.18-community 2.387.3-r0 Francesco Colista <fcolista@alpinelinux.org> possibly vulnerable