Fluid Attacks Database

Description

Jenkins exposes multi-line secrets through error messages Jenkins

Jenkins provides the secretTextarea form field for multi-line secrets.

Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.

This can result in exposure of multi-line secrets through those error messages, e.g., in the system log.

Jenkins 2.479, LTS 2.462.3 redacts multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.

Mitigation

Update Impact

Minimal update. May introduce new vulnerabilities or breaking changes.

Ecosystem	Package	Affected version	Patched versions
maven	org.jenkins-ci.main:jenkins-core	>=0 <2.462.3 \|\| >=2.466 <2.479	2.462.3, 2.479

Aliases

1. CVE-2024-478032. NVD-2024-478033. OSV-2024-478034. GCVE-2024-47803

References

1. https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3451

Does your application use this vulnerable software?

During the free trial, our tools assess your application, identify vulnerabilities, and provide recommendations for their remediation.