CVE-2023-39155 – org.jenkins-ci.plugins:chef-identity

Package

Manager: maven
Name: org.jenkins-ci.plugins:chef-identity
Vulnerable Version: >=0 <=2.0.3

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:P/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00059 pctl0.18543

Details

Secret displayed without masking by Chef Identity Plugin Chef Identity Plugin stores the user.pem key in its global configuration file `io.chef.jenkins.ChefIdentityBuildWrapper.xml` on the Jenkins controller as part of its configuration. While this key is stored encrypted on disk, in Chef Identity Plugin 2.0.3 and earlier the global configuration form does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.

Metadata

Created: 2023-07-26T15:30:57Z
Modified: 2023-08-01T21:39:57Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/07/GHSA-5jc5-m87x-88fj/GHSA-5jc5-m87x-88fj.json
CWE IDs: ["CWE-200", "CWE-668"]
Alternative ID: GHSA-5jc5-m87x-88fj
Finding: F017
Auto approve: 1