CVE-2024-47803

CVSS v4.0

5.3

Medium

Vector

AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Name of the Vulnerable Software and Affected Versions Jenkins versions 2.478 and earlier Jenkins LTS versions 2.462.2 and earlier

Description The issue is related to the lack of protection for sensitive data in Jenkins. Specifically, Jenkins does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field. This can result in exposure of multi-line secrets through those error messages, for example, in the system log. An attacker could exploit this to gain unauthorized access to confidential information in the system.

Recommendations For Jenkins versions 2.478 and earlier, upgrade to version 2.479 or later. For Jenkins LTS versions 2.462.2 and earlier, upgrade to version 2.462.3 or later. As a temporary workaround, consider restricting access to error messages that may contain sensitive information until a patch is applied.

Fix

Generation of Error Message Containing Sensitive Information

Information Disclosure

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-209CWE-200

Related Identifiers

BDU:2024-08390

BIT-JENKINS-2024-47803

CVE-2024-47803

GHSA-PJ95-PH4Q-4QM4

RHSA-2024:8884

RHSA-2024:8885

RHSA-2024:8886

RHSA-2024:8887

Affected Products

Jenkins

Red Os

CVE-2024-47803

Weakness Enumeration

Related Identifiers

Affected Products

References · 16