CVE-2023-43494

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.50 through 2.423 Jenkins LTS versions 2.60.1 through 2.414.1

Description The issue allows attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered. This is because sensitive build variables, such as password parameter values, are not excluded from the search in the build history widget.

Recommendations For Jenkins versions 2.50 through 2.423, update to version 2.424 or later. For Jenkins LTS versions 2.60.1 through 2.414.1, update to version 2.414.2 or later. As a temporary workaround, consider restricting access to the build history widget for users with Item/Read permission until a patch is applied.