Cyber Resilience

CVE-2023-43494

Medium

Published: 20 September 2023

Published
20 September 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 4.3 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EPSS Score 0.4915 97.8th percentile
Risk Priority 38 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-43494 is a medium-severity an unspecified weakness vulnerability in Jenkins Jenkins. Its CVSS base score is 4.3 (Medium).

Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

Jenkins versions 2.50 through 2.423 and LTS releases 2.60.1 through 2.414.1 fail to exclude sensitive build variables such as password parameter values from searches performed in the build history widget. This information disclosure issue stems from the way the widget indexes and returns build data without filtering protected parameters.

Attackers holding Item/Read permission on a job can exploit the flaw by repeatedly querying the widget with different character sequences until the correct values of sensitive variables are reconstructed. The technique requires no other privileges and yields partial disclosure of credentials or secrets used during builds, consistent with the reported CVSS score of 4.3.

The Jenkins security advisory published on 2023-09-20 along with the accompanying oss-security postings describe the issue under SECURITY-3261 and direct administrators to the corresponding updates that address the exposure in later releases.

The EPSS score reached a peak of 0.5327 before receding to its current value of 0.4915, indicating moderate ongoing interest without evidence of widespread active exploitation.

EU & UK References

Vulnerability details

Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive…

more

variables used in builds by iteratively testing different characters until the correct sequence is discovered.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

jenkins
jenkins
2.50 — 2.424 · 2.60.1 — 2.414.2

Mitigating Controls

No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.

References