Exposure of Sensitive Information to an Unauthorized Actor Affecting org.jenkins-ci.plugins:credentials package, versions [,1371.1373.v4eb_fa_b_7161e9) (1371.1373.v4eb_fa_b_7161e9,1381.v2c3a_12074da_b_)
Threat Intelligence
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk ID SNYK-JAVA-ORGJENKINSCIPLUGINS-8160885
- published 3 Oct 2024
- disclosed 2 Oct 2024
- credit Kevin Guerroudj
Introduced: 2 Oct 2024
CVE-2024-47805 Open this link in a new tabHow to fix?
Upgrade org.jenkins-ci.plugins:credentials to version 1371.1373.v4eb_fa_b_7161e9, 1381.v2c3a_12074da_b_ or higher.
Overview
org.jenkins-ci.plugins:credentials is a plugin that provides a standardized API for other plugins to store and retrieve different types of credentials.
Affected versions of this package are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor via the config.xml item through REST API or CLI due to not redacting encrypted values of credentials using the SecretBytes type. An attacker with Item/Extended Read permissions can view encrypted SecretBytes values in credentials.
Note:
The fix for this vulnerability is only effective on Jenkins 2.479 and newer, LTS 2.462.3 and newer. While Credentials Plugin 1381.v2c3a_12074da_b_ can be installed on Jenkins 2.463 through 2.478 (both inclusive), encrypted values of credentials using the SecretBytes type will not be redacted when accessing item config.xml via REST API or CLI.