Exposure of Sensitive Information to an Unauthorized Actor Affecting org.jenkins-ci.plugins:credentials package, versions [,1371.1373.v4eb_fa_b_7161e9)(1371.1373.v4eb_fa_b_7161e9,1381.v2c3a_12074da_b_)
Threat Intelligence
The probability is the direct output of the EPSS model, and conveys an overall sense of the threat of exploitation in the wild. The percentile measures the EPSS probability relative to all known EPSS scores. Note: This data is updated daily, relying on the latest available EPSS model version. Check out the EPSS documentation for more details.
Do your applications use this vulnerable package?
In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.
Test your applications- Snyk IDSNYK-JAVA-ORGJENKINSCIPLUGINS-8160885
- published3 Oct 2024
- disclosed2 Oct 2024
- creditKevin Guerroudj
Introduced: 2 Oct 2024
CVE-2024-47805 (opens in a new tab)How to fix?
Upgrade org.jenkins-ci.plugins:credentials to version 1371.1373.v4eb_fa_b_7161e9, 1381.v2c3a_12074da_b_ or higher.
Overview
org.jenkins-ci.plugins:credentials is a plugin that provides a standardized API for other plugins to store and retrieve different types of credentials.
Affected versions of this package are vulnerable to Exposure of Sensitive Information to an Unauthorized Actor via the config.xml item through REST API or CLI due to not redacting encrypted values of credentials using the SecretBytes type. An attacker with Item/Extended Read permissions can view encrypted SecretBytes values in credentials.
Note:
The fix for this vulnerability is only effective on Jenkins 2.479 and newer, LTS 2.462.3 and newer. While Credentials Plugin 1381.v2c3a_12074da_b_ can be installed on Jenkins 2.463 through 2.478 (both inclusive), encrypted values of credentials using the SecretBytes type will not be redacted when accessing item config.xml via REST API or CLI.