CVE-2023-43494
Published: 20 September 2023
Summary
CVE-2023-43494 is a medium-severity an unspecified weakness vulnerability in Jenkins Jenkins. Its CVSS base score is 4.3 (Medium).
Operationally, ranked in the top 2.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
Jenkins versions 2.50 through 2.423 and LTS releases 2.60.1 through 2.414.1 fail to exclude sensitive build variables such as password parameter values from searches performed in the build history widget. This information disclosure issue stems from the way the widget indexes and returns build data without filtering protected parameters.
Attackers holding Item/Read permission on a job can exploit the flaw by repeatedly querying the widget with different character sequences until the correct values of sensitive variables are reconstructed. The technique requires no other privileges and yields partial disclosure of credentials or secrets used during builds, consistent with the reported CVSS score of 4.3.
The Jenkins security advisory published on 2023-09-20 along with the accompanying oss-security postings describe the issue under SECURITY-3261 and direct administrators to the corresponding updates that address the exposure in later releases.
The EPSS score reached a peak of 0.5327 before receding to its current value of 0.4915, indicating moderate ongoing interest without evidence of widespread active exploitation.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-2391
Vulnerability details
Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive…
more
variables used in builds by iteratively testing different characters until the correct sequence is discovered.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
No mitigating controls mapped yet. The per-CVE control annotator has not reached this CVE.