CVE-2023-27904 – org.jenkins-ci.main:jenkins-core

Package

Manager: maven
Name: org.jenkins-ci.main:jenkins-core
Vulnerable Version: >=2.376 <2.387.1 || >=0 <2.375.4 || >=2.388 <2.394

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00132 pctl0.33541

Details

Information disclosure through error stack traces related to agents Jenkins 2.393 and earlier, LTS 2.375.3 and earlier, and prior to LTS 2.387.1 prints an error stack trace on agent-related pages when agent connections are broken, potentially revealing information about Jenkins configuration that is otherwise inaccessible to attackers. Jenkins 2.394, LTS 2.375.4, and LTS 2.387.1 does not display error stack traces when agent connections are broken.

Metadata

Created: 2023-03-10T21:30:19Z
Modified: 2023-05-23T20:28:36Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/03/GHSA-rrgp-c2w8-6vg6/GHSA-rrgp-c2w8-6vg6.json
CWE IDs: []
Alternative ID: GHSA-rrgp-c2w8-6vg6
Finding: F037
Auto approve: 1