CVE-2023-39155

Name of the Vulnerable Software and Affected Versions Jenkins Chef Identity Plugin versions 2.0.3 and earlier

Description The issue concerns the Jenkins Chef Identity Plugin, where the user.pem key form field is not masked in versions 2.0.3 and earlier. This increases the potential for attackers to observe and capture the key. The plugin stores the user.pem key in its global configuration file io.chef.jenkins.ChefIdentityBuildWrapper.xml on the Jenkins controller. Although the key is stored encrypted on disk, the lack of masking in the global configuration form poses a risk.

Recommendations For Jenkins Chef Identity Plugin versions 2.0.3 and earlier, consider updating to a version where the user.pem key form field is properly masked to prevent potential attackers from observing and capturing it. As a temporary workaround, restrict access to the global configuration form to minimize the risk of exploitation. At the moment, there is no information about a newer version that contains a fix for this vulnerability.