{"dataType": "CVE_RECORD", "dataVersion": "5.1", "cveMetadata": {"cveId": "CVE-2023-40339", "assignerOrgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "state": "PUBLISHED", "assignerShortName": "jenkins", "dateReserved": "2023-08-14T16:02:56.435Z", "datePublished": "2023-08-16T14:32:51.314Z", "dateUpdated": "2024-08-02T18:31:53.808Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "affected", "product": "Jenkins Config File Provider Plugin", "vendor": "Jenkins Project", "versions": [{"lessThan": "*", "status": "unaffected", "version": "953.v0432a_802e4d2", "versionType": "maven"}, {"status": "unaffected", "version": "951.953.vdfc5f6e2dcc4"}]}], "descriptions": [{"lang": "en", "value": "Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log."}], "providerMetadata": {"orgId": "39769cd5-e6e2-4dc8-927e-97b3aa056f5b", "shortName": "jenkins", "dateUpdated": "2023-10-24T12:51:22.838Z"}, "references": [{"name": "Jenkins Security Advisory 2023-08-16", "tags": ["vendor-advisory"], "url": "https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3090"}, {"url": "http://www.openwall.com/lists/oss-security/2023/08/16/3"}]}, "adp": [{"providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2024-08-02T18:31:53.808Z"}, "title": "CVE Program Container", "references": [{"name": "Jenkins Security Advisory 2023-08-16", "tags": ["vendor-advisory", "x_transferred"], "url": "https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3090"}, {"url": "http://www.openwall.com/lists/oss-security/2023/08/16/3", "tags": ["x_transferred"]}]}]}}

{}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:config_file_provider:*:*:*:*:*:jenkins:*:*", "matchCriteriaId": "F0F8F4AC-9087-47EF-890B-CBEB311E4E2D", "versionEndIncluding": "952.va_544a_6234b_46", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log."}], "id": "CVE-2023-40339", "lastModified": "2023-08-22T18:55:53.897", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2023-08-16T15:15:11.547", "references": [{"source": "jenkinsci-cert@googlegroups.com", "tags": ["Mailing List", "Third Party Advisory"], "url": "http://www.openwall.com/lists/oss-security/2023/08/16/3"}, {"source": "jenkinsci-cert@googlegroups.com", "tags": ["Vendor Advisory"], "url": "https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3090"}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "NVD-CWE-noinfo"}], "source": "nvd@nist.gov", "type": "Primary"}]}

{"affected_release": [{"advisory": "RHSA-2024:0778", "cpe": "cpe:/a:redhat:ocp_tools:4.12::el8", "package": "jenkins-2-plugins-0:4.12.1706515741-1.el8", "product_name": "OCP-Tools-4.12-RHEL-8", "release_date": "2024-02-12T00:00:00Z"}, {"advisory": "RHSA-2024:0777", "cpe": "cpe:/a:redhat:ocp_tools:4.14::el8", "package": "jenkins-2-plugins-0:4.14.1706516441-1.el8", "product_name": "OCP-Tools-4.14-RHEL-8", "release_date": "2024-02-12T00:00:00Z"}], "bugzilla": {"description": "jenkins-plugins: config-file-provider: Improper masking of credentials in Config File Provider Plugin", "id": "2232423", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2232423"}, "csaw": false, "cvss3": {"cvss3_base_score": "7.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "status": "verified"}, "details": ["Jenkins Config File Provider Plugin 952.va_544a_6234b_46 and earlier does not mask (i.e., replace with asterisks) credentials specified in configuration files when they're written to the build log.", "A flaw was found in the Config File Provider Jenkins Plugin. Affected versions of this plugin do not mask (replace with asterisks) credentials specified in configuration files when they're written to the build log."], "name": "CVE-2023-40339", "package_state": [{"cpe": "cpe:/a:redhat:openshift:3.11", "fix_state": "Out of support scope", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 3.11"}, {"cpe": "cpe:/a:redhat:openshift:4", "fix_state": "Affected", "package_name": "jenkins-2-plugins", "product_name": "Red Hat OpenShift Container Platform 4"}], "public_date": "2023-08-16T00:00:00Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2023-40339\nhttps://nvd.nist.gov/vuln/detail/CVE-2023-40339\nhttps://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3090"], "threat_severity": "Moderate", "upstream_fix": "Config File Provider Plugin 953.v0432a_802e4d2"}