{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-27904", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "state": "PUBLISHED", "assignerShortName": "jenkins", "dateReserved": "2023-03-07T09:35:48.507Z", "datePublished": "2023-03-08T17:14:52.848Z", "dateUpdated": "2024-08-02T12:23:30.559Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Jenkins", "vendor": "Jenkins Project", "versions": [{"lessThan": "*", "status": "unaffected", "version": "2.394", "versionType": "maven"}, {"lessThan": "2.375.*", "status": "unaffected", "version": "2.375.4", "versionType": "maven"}, {"lessThan": "2.387.*", "status": "unaffected", "version": "2.387.1", "versionType": "maven"}]}], "descriptions": [{"lang": "en", "value": "Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T12:49:09.772Z"}, "references": [{"name": "Jenkins Security Advisory 2023-03-08", "tags": ["vendor-advisory"], "url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T12:23:30.559Z"}, "title": "CVE Program Container", "references": [{"name": "Jenkins Security Advisory 2023-03-08", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120"}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*", "matchCriteriaId": "60A98B86-E66C-4703-9DDD-7BB66247067C", "versionEndExcluding": "2.375.4", "vulnerable": true}, {"criteria": "cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*", "matchCriteriaId": "57EF4F3C-05BE-4979-A92D-6B56EE5CD3FF", "versionEndExcluding": "2.394", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers."}], "id": "CVE-2023-27904", "lastModified": "2023-03-15T19:54:20.670", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-03-10T21:15:15.733", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2023:3195", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-0:2.387.1.1683009767-3.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2023-05-18T00:00:00Z"}, {"advisory": "RHSA-2023:6172", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-0:2.414.3.1698293911-3.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:0778", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-0:2.426.3.1706515686-3.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2023:3299", "cpe": "cpe:/a:redhat:ocp_tools:4.13::el8", "package": "jenkins-0:2.387.3.1684911776-3.el8", "product_name": "OCP-Tools-4.13-RHEL-8", "release_date": "2023-05-24T00:00:00Z"}, {"advisory": "RHSA-2023:3622", "cpe": "cpe:/a:redhat:ocp_tools:4.13::el8", "package": "jenkins-0:2.401.1.1686680404-3.el8", "product_name": "OCP-Tools-4.13-RHEL-8", "release_date": "2023-06-15T00:00:00Z"}, {"advisory": "RHSA-2023:3198", "cpe": "cpe:/a:redhat:ocp_tools:4.11::el8", "package": "jenkins-0:2.387.1.1683009763-3.el8", "product_name": "OpenShift Developer Tools and Services for OCP 4.11", "release_date": "2023-05-17T00:00:00Z"}, {"advisory": "RHSA-2023:3663", "cpe": "cpe:/a:redhat:ocp_tools:4.11::el8", "package": "jenkins-0:2.401.1.1686831596-3.el8", "product_name": "OpenShift Developer Tools and Services for OCP 4.11", "release_date": "2023-06-19T00:00:00Z"}, {"advisory": "RHSA-2023:6171", "cpe": "cpe:/a:redhat:ocp_tools:4.11::el8", "package": "jenkins-0:2.414.3.1698298955-3.el8", "product_name": "OpenShift Developer Tools and Services for OCP 4.11", "release_date": "2023-10-30T00:00:00Z"}, {"advisory": "RHSA-2024:0775", "cpe": "cpe:/a:redhat:ocp_tools:4.11::el8", "package": "jenkins-0:2.426.3.1706516929-3.el8", "product_name": "OpenShift Developer Tools and Services for OCP 4.11", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2023:1655", "cpe": "cpe:/a:redhat:openshift:4.10::el8", "package": "jenkins-0:2.387.1.1680701869-1.el8", "product_name": "Red Hat OpenShift Container Platform 4.10", "release_date": "2023-04-12T00:00:00Z"}], "bugzilla": {"description": "Jenkins: Information disclosure through error stack traces related to agents", "id": "2177634", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2177634"}, "csaw": false, "cvss3": {"cvss3_base_score": "5.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "status": "verified"}, "cwe": "CWE-200", "details": ["Jenkins 2.393 and earlier, LTS 2.375.3 and earlier prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers.", "A flaw was found in Jenkins. The affected version of Jenkins prints an error stack trace on agent-related pages when agent connections are broken. This stack trace may contain information about Jenkins configuration that is otherwise inaccessible to attackers."], "name": "CVE-2023-27904", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "jenkins", "product_name": "Red Hat OpenShift Container Platform 3.11"}], "public_date": "2023-03-10T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-27904\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-27904\nhttps://www.jenkins.io/security/advisory/2023-03-08/#SECURITY-2120"], "statement": "OpenShift 3.11 is already in the ELS support model phase. The Jenkins components are out of the scope of the ELS support; hence OpenShift 3.11 Jenkins component is marked in this CVE as Out of Support Scope.", "threat_severity": "Low", "upstream_fix": "LTS 2.375.4, LTS 2.387.1, Jenkins 2.394"}