Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field.

Metrics

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

Exploitation none

Automatable no

Technical Impact partial

Affected Vendors & Products

Vendors Products
Jenkins
  • Jenkins
Redhat
  • Ocp Tools

Configuration 1 [-]

OR cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*
Package CPE Advisory Released Date
OCP-Tools-4.12-RHEL-8
jenkins-0:2.462.3.1730119132-3.el8 cpe:/a:redhat:ocp_tools:4.12::el8 RHSA-2024:8886 2024-11-05T00:00:00Z
jenkins-2-plugins-0:4.12.1730119231-1.el8 cpe:/a:redhat:ocp_tools:4.12::el8 RHSA-2024:8886 2024-11-05T00:00:00Z
OCP-Tools-4.13-RHEL-8
jenkins-0:2.462.3.1729839924-3.el8 cpe:/a:redhat:ocp_tools:4.13::el8 RHSA-2024:8887 2024-11-05T00:00:00Z
jenkins-2-plugins-0:4.13.1729840148-1.el8 cpe:/a:redhat:ocp_tools:4.13::el8 RHSA-2024:8887 2024-11-05T00:00:00Z
OCP-Tools-4.14-RHEL-8
jenkins-0:2.462.3.1729839727-3.el8 cpe:/a:redhat:ocp_tools:4.14::el8 RHSA-2024:8885 2024-11-05T00:00:00Z
jenkins-2-plugins-0:4.14.1729839844-1.el8 cpe:/a:redhat:ocp_tools:4.14::el8 RHSA-2024:8885 2024-11-05T00:00:00Z
OCP-Tools-4.15-RHEL-8
jenkins-0:2.462.3.1729837947-3.el8 cpe:/a:redhat:ocp_tools:4.15::el8 RHSA-2024:8884 2024-11-05T00:00:00Z
jenkins-2-plugins-0:4.15.1729838165-1.el8 cpe:/a:redhat:ocp_tools:4.15::el8 RHSA-2024:8884 2024-11-05T00:00:00Z
References
Link Providers
https://nvd.nist.gov/vuln/detail/CVE-2024-47803 cve-icon
https://www.cve.org/CVERecord?id=CVE-2024-47803 cve-icon
https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3451 cve-icon cve-icon cve-icon
History

Wed, 13 Nov 2024 17:45:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins jenkins
CPEs cpe:2.3:a:jenkins:jenkins:*:*:*:*:-:*:*:*
cpe:2.3:a:jenkins:jenkins:*:*:*:*:lts:*:*:*
Vendors & Products Jenkins
Jenkins jenkins
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N'}

Wed, 06 Nov 2024 02:15:00 +0000

Type Values Removed Values Added
First Time appeared Redhat
Redhat ocp Tools
CPEs cpe:/a:redhat:ocp_tools:4.12::el8
cpe:/a:redhat:ocp_tools:4.13::el8
cpe:/a:redhat:ocp_tools:4.14::el8
cpe:/a:redhat:ocp_tools:4.15::el8
Vendors & Products Redhat
Redhat ocp Tools

Thu, 03 Oct 2024 01:15:00 +0000

Type Values Removed Values Added
Title jenkins: Exposure of multi-line secrets through error messages
Weaknesses CWE-209
References
Metrics threat_severity

None

 cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

threat_severity

Moderate

Wed, 02 Oct 2024 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 02 Oct 2024 15:45:00 +0000

Type Values Removed Values Added
Description Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the `secretTextarea` form field.
References
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published: 2024-10-02T15:35:02.392Z

Updated: 2024-10-07T08:19:38.231Z

Reserved: 2024-10-01T20:59:52.483Z

Link: CVE-2024-47803

cve-icon Vulnrichment

Updated: 2024-10-02T16:32:11.868Z

cve-icon NVD

Status : Analyzed

Published: 2024-10-02T16:15:10.630

Modified: 2024-11-13T17:45:58.903

Link: CVE-2024-47803

cve-icon Redhat

Severity : Moderate

Publid Date: 2024-10-02T15:35:02Z

Links: CVE-2024-47803 - Bugzilla