CVE-2019-10343

Name of the Vulnerable Software and Affected Versions Jenkins Configuration as Code Plugin versions 1.24 and earlier Jenkins Configuration as Code Plugin versions 0.8-alpha through 1.0

Description The issue concerns the logging of configuration changes by the Configuration as Code Plugin, where secrets such as passwords are not properly masked, potentially leading to accidental disclosure. The plugin logs changes to the Jenkins system log, and between versions 0.8-alpha and 1.0, log messages contained unmasked values if specified using properties in the YAML file. Since version 1.1, the plugin attempts to mask values of type Secret, but this did not work in many instances due to plugins using the Secret type without it appearing in their Java API. The plugin has been updated to inspect the type and look for corresponding fields, getters, or constructor arguments to improve secret detection for log message masking.

Recommendations For Jenkins Configuration as Code Plugin versions 1.24 and earlier, consider configuring the logging level of the logger io.jenkins.plugins.casc.Attribute to a level that does not include INFO messages as a temporary workaround. For Jenkins Configuration as Code Plugin versions 0.8-alpha through 1.0, the same logging level configuration workaround can be applied. At the moment, there is no information about a newer version that contains a fix for this vulnerability.