Multiple vulnerabilities in Jenkins Ansible plugin



Risk Low
Patch available YES
Number of vulnerabilities 2
CVE-ID CVE-2023-32982
CVE-2023-32983
CWE-ID CWE-312
CWE-200
Exploitation vector Network
Public exploit N/A
Vulnerable software
 Ansible
Web applications / Modules and components for CMS

Vendor Jenkins

Security Bulletin

This security bulletin contains information about 2 vulnerabilities.

1) Cleartext storage of sensitive information

EUVDB-ID: #VU76240

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-32982

CWE-ID: CWE-312 - Cleartext Storage of Sensitive Information

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected plugin stores these extra variables unencrypted in job config.xml files on the Jenkins controller as part of its configuration. A remote user can view these extra variables.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Ansible: 204.v8191fd551eb_f

CPE2.3 External links

https://jenkins.io/security/advisory/2023-05-16/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.

2) Information disclosure

EUVDB-ID: #VU76241

Risk: Low

CVSSv4.0: 1.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2023-32983

CWE-ID: CWE-200 - Information exposure

Exploit availability: No

Description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected plugin does not mask extra variables displayed on the configuration form. A remote user can gain unauthorized access to sensitive information on the system.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

Ansible: 204.v8191fd551eb_f

CPE2.3 External links

https://jenkins.io/security/advisory/2023-05-16/


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote authenticated user via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.



###SIDEBAR###