CVE-2024-47805

Name of the Vulnerable Software and Affected Versions Jenkins Credentials Plugin versions 1380.va 435002fa 924 and earlier, except version 1371.1373.v4eb fa b 7161e9

Description The issue concerns the Jenkins Credentials Plugin, which does not redact encrypted values of credentials using the SecretBytes type when accessing item config.xml via REST API or CLI. This allows attackers with Item/Extended Read permission to view encrypted SecretBytes values in credentials, including Certificate credentials and Secret file credentials from Plain Credentials Plugin. The issue is similar to a previous security advisory from 2016.

Recommendations For Jenkins Credentials Plugin versions 1380.va 435002fa 924 and earlier, except version 1371.1373.v4eb fa b 7161e9, update to version 1381.v2c3a 12074da b or later, but ensure the Jenkins version is 2.479 or newer, or LTS 2.462.3 or newer, to effectively redact encrypted values of credentials using the SecretBytes type. As a temporary workaround, consider restricting access to the config.xml file via REST API or CLI to minimize the risk of exploitation.