CVE-2019-10367

Name of the Vulnerable Software and Affected Versions Jenkins Configuration as Code Plugin versions 1.26 and earlier

Description The issue arises from an incomplete fix that did not properly apply masking to some values expected to be hidden when logging the configuration being applied. This could lead to accidental disclosure of secrets such as passwords in the Jenkins system log. The Configuration as Code Plugin is designed to inspect the type and look for a field, getter, or constructor argument corresponding to the property to detect secrets for log message masking. However, the fix for this issue was incomplete and did not cover a specific log message.

Recommendations For Jenkins Configuration as Code Plugin versions 1.26 and earlier, as a temporary workaround, administrators can configure the logging level of the logger io.jenkins.plugins.casc.impl.configurators.DataBoundConfigurator to a level that does not include these messages, such as setting it to a level higher than FINE for version 1.26 or higher than INFO for versions 1.25 and earlier. At the moment, there is no information about a newer version that contains a fix for this vulnerability.