CGA-jfjg-q7fp-4hqv

Published

Last updated

https://images.chainguard.dev/security/CGA-jfjg-q7fp-4hqv

Package

jenkins-2.479

Repository

Chainguard

Latest Update

Pending upstream fix

Aliases

Severity

Unknown

Summary

Jenkins reveals encrypted values of secrets stored in agent configuration to users with Agent/Extended Read permission

Description

Jenkins 2.499 and earlier, LTS 2.492.1 and earlier does not redact encrypted values of secrets when accessing config.xml of views via REST API or CLI.

This allows attackers with View/Read permission to view encrypted values of secrets.

Jenkins 2.500, LTS 2.492.2 redacts the encrypted values of secrets stored in view config.xml accessed via REST API or CLI for users lacking View/Configure permission.

References

Updates

Advisories are based on vulnerability information provided by Grype from Anchore. Learn how Chainguard creates security advisories.

Safe Source for Open Source™

Media Kit Contact Us

Private Policy

CGA-jfjg-q7fp-4hqv

Severity

Summary

Description

References

Updates

Products

Why Chainguard

Customers

Company

Resources