CVE-2023-43494

moderate-risk

Published 2023-09-20

Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.

Do I need to act?

53.3% chance of exploitation in next 30 days

EPSS score — higher than 47% of all CVEs

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.3/10 Medium

NETWORK / LOW complexity

Affected Products (2)

Jenkins

Affected Vendors

Jenkins

References (4)

Mailing List http://www.openwall.com/lists/oss-security/2023/09/20/5

Vendor Advisory https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261

Mailing List http://www.openwall.com/lists/oss-security/2023/09/20/5

Vendor Advisory https://www.jenkins.io/security/advisory/2023-09-20/#SECURITY-3261

/ 100

moderate-risk

Severity 18/34 · Moderate

Exploitability 18/34 · Moderate

Exposure 7/34 · Low