CVE-2023-43494

Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.

Published: Sep 20, 2023
Updated: May 10, 2024
CVE: CVE-2023-43494
GHSA: GHSA-279f-qwgh-h5mp
Severity: Low
Exploit:

CVSS v3:

Severity: Low
Score: 4.3
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

No CWE or OWASP classifications available.

Affected Software
References

Software	From	Fixed in
org.jenkins-ci.main / jenkins-core	2.50	2.414.2
org.jenkins-ci.main / jenkins-core	2.415	2.424
jenkins / jenkins	2.60.1	2.414.2
jenkins / jenkins	2.50	2.424

http://www.openwall.com/lists/oss-security/2023/09/20/5
https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261

Vulnerability Database

289,599

CVE-2023-43494