CVE-2023-32982

CVSS v3.1

4.3

Medium

Vector

AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Name of the Vulnerable Software and Affected Versions Jenkins Ansible Plugin versions 204.v8191fd551eb f and earlier

Description The issue concerns the storage of extra variables, often used to pass secrets, in an unencrypted manner in job config.xml files on the Jenkins controller. These variables can be accessed by users with Item/Extended Read permission or those with access to the Jenkins controller file system. Furthermore, the job configuration form does not mask these extra variables, potentially allowing attackers to observe and capture them.

Recommendations For Jenkins Ansible Plugin versions 204.v8191fd551eb f and earlier, update to version 205.v4cb c48657c21 or later to ensure extra variables are stored encrypted and masked on the configuration form.

Fix

Cleartext Storage of Sensitive Information

Missing Encryption of Sensitive Data

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-312CWE-311

Related Identifiers

CVE-2023-32982

GHSA-38HW-368M-7JMG

Affected Products

Jenkins

Jenkins Ansible Plugin

CVE-2023-32982

Weakness Enumeration

Related Identifiers

Affected Products

References · 5