CVE-2023-32983

Name of the Vulnerable Software and Affected Versions Jenkins Ansible Plugin versions 204.v8191fd551eb f and earlier

Description The issue concerns the Jenkins Ansible Plugin, which allows the specification of extra variables that can be passed to Ansible, commonly used to pass secrets. These extra variables are stored unencrypted in job config.xml files on the Jenkins controller as part of its configuration and can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Furthermore, the job configuration form does not mask these extra variables, increasing the potential for attackers to observe and capture them.

Recommendations For Jenkins Ansible Plugin versions 204.v8191fd551eb f and earlier, update to version 205.v4cb c48657c21 or later to ensure extra variables are masked on the configuration form and stored encrypted once job configurations are saved again.