Описание
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets.
A flaw was found in Jenkins and LTS. Affected versions of Jenkins do not redact the encrypted value of secrets when accessing config.xml agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view the encrypted value of secrets.
Затронутые пакеты
| Платформа | Пакет | Состояние | Рекомендация | Релиз |
|---|---|---|---|---|
| OpenShift Developer Tools and Services | jenkins | Fix deferred | ||
| Red Hat Developer Hub | rhdh-hub-rhel9 | Affected |
Показывать по
Дополнительная информация
Статус:
EPSS
4.3 Medium
CVSS3
Связанные уязвимости
Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing `config.xml` of agents via REST API or CLI, allowing attackers with Agent/Extended Read permission to view encrypted values of secrets.
Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission
Уязвимость сервера автоматизации Jenkins, связанная с недостаточной защитой служебных данных, позволяющая нарушителю получить несанкционированный доступ к защищаемой информации
EPSS
4.3 Medium
CVSS3