PT-2023-22743 · Jenkins · Jenkins Azure Key Vault Plugin+1

Tim Jacomb

Published

2023-04-12

Updated

2025-02-07

CVE-2023-30514

CVSS v3.1

7.5

High

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Azure Key Vault Plugin versions 187.va cd5fecd198a and earlier

Description The issue arises when the push mode for durable task logging is enabled, causing the plugin to not properly mask credentials in the build log. This means that instead of being replaced with asterisks, credentials are visible, potentially exposing sensitive information.

Recommendations For Jenkins Azure Key Vault Plugin versions 187.va cd5fecd198a and earlier, consider disabling the push mode for durable task logging until a fix is available to prevent credentials from being exposed in the build log.

Fix

Cleartext Transmission of Sensitive Information

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-319

Related Identifiers

CVE-2023-30514

GHSA-GMXM-PR58-V5JC

Affected Products

Jenkins

Jenkins Azure Key Vault Plugin

PT-2023-22743 · Jenkins · Jenkins Azure Key Vault Plugin+1

CVE-2023-30514

Weakness Enumeration

Related Identifiers

Affected Products

References · 8