Description
Jenkins Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the `SecretBytes` type when accessing item `config.xml` via REST API or CLI.
Published: 2024-10-02
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Analysis and contextual insights are available on OpenCVE Cloud.

Remediation

No vendor fix or workaround currently provided.

Additional remediation guidance may be available on OpenCVE Cloud.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
EUVD EUVD EUVD-2024-2957 Jenkins Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the `SecretBytes` type when accessing item `config.xml` via REST API or CLI.
Github GHSA Github GHSA GHSA-62jv-j4w7-5hh8 Jenkins Credentials plugin reveals encrypted values of credentials to users with Extended Read permission
History

Fri, 14 Mar 2025 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

 ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 13 Nov 2024 18:00:00 +0000

Type Values Removed Values Added
First Time appeared Jenkins
Jenkins credentials
Weaknesses CWE-522
CPEs cpe:2.3:a:jenkins:credentials:*:*:*:*:*:jenkins:*:*
Vendors & Products Jenkins
Jenkins credentials
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Wed, 02 Oct 2024 17:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 02 Oct 2024 15:45:00 +0000

Type Values Removed Values Added
Description Jenkins Credentials Plugin 1380.va_435002fa_924 and earlier, except 1371.1373.v4eb_fa_b_7161e9, does not redact encrypted values of credentials using the `SecretBytes` type when accessing item `config.xml` via REST API or CLI.
References

Subscriptions

Jenkins Credentials
cve-icon MITRE

Status: PUBLISHED

Assigner: jenkins

Published:

Updated: 2025-03-14T15:02:44.176Z

Reserved: 2024-10-01T20:59:52.483Z

Link: CVE-2024-47805

cve-icon Vulnrichment

Updated: 2024-10-02T16:30:33.317Z

cve-icon NVD

Status : Modified

Published: 2024-10-02T16:15:10.753

Modified: 2025-03-14T15:15:43.840

Link: CVE-2024-47805

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

No data.

Weaknesses