CVE-2023-24439

Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier stores the private keys unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

CVSS v3 5.5 MEDIUM

5.5^/10

CVSS v3 : MEDIUM

Vector :

Exploitability : 1.8 / Impact : 3.6

Attack Vector LOCAL

Attack Complexity LOW

Privileges Required LOW

User Interaction NONE

Confidentiality Impact HIGH

Integrity Impact NONE

Availability Impact NONE

Scope UNCHANGED

References

Link	Resource
https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2774	Vendor Advisory
https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2774	Vendor Advisory

Configurations

Configuration 1 (hide)

cpe:2.3:a:jenkins:jira_pipeline_steps:*:*:*:*:*:jenkins:*:*

History

21 Nov 2024, 07:47

Type	Values Removed	Values Added
New CVE

Information

Published : 2023-01-26 21:18

Updated : 2025-04-02 14:15

NVD link : CVE-2023-24439

Mitre link : CVE-2023-24439

CVE.ORG link : CVE-2023-24439

JSON object : View

Products Affected

jenkins

jira_pipeline_steps

CWE

CWE-312

Cleartext Storage of Sensitive Information

{"id": "CVE-2023-24439", "cveTags": [], "metrics": {"cvssMetricV31": [{"type": "Primary", "source": "nvd@nist.gov", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "cvssData": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 5.5, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "LOW", "confidentialityImpact": "HIGH"}, "impactScore": 3.6, "exploitabilityScore": 1.8}]}, "published": "2023-01-26T21:18:17.783", "references": [{"url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2774", "tags": ["Vendor Advisory"], "source": "jenkinsci-cert@googlegroups.com"}, {"url": "https://www.jenkins.io/security/advisory/2023-01-24/#SECURITY-2774", "tags": ["Vendor Advisory"], "source": "af854a3a-2127-422b-91ae-364da2661108"}], "vulnStatus": "Modified", "weaknesses": [{"type": "Primary", "source": "nvd@nist.gov", "description": [{"lang": "en", "value": "CWE-312"}]}, {"type": "Secondary", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "description": [{"lang": "en", "value": "CWE-312"}]}], "descriptions": [{"lang": "en", "value": "Jenkins JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier stores the private keys unencrypted in its global configuration file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system."}, {"lang": "es", "value": "El complemento JIRA Pipeline Steps de Jenkins en su versi\u00f3n 2.0.165.v8846cf59f3db y anteriores almacena las claves privadas sin cifrar en su archivo de configuraci\u00f3n global en el controlador Jenkins, donde los usuarios con acceso al sistema de archivos del controlador Jenkins pueden verlas."}], "lastModified": "2025-04-02T14:15:39.040", "configurations": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:jenkins:jira_pipeline_steps:*:*:*:*:*:jenkins:*:*", "vulnerable": true, "matchCriteriaId": "DA2750F7-7098-4B8F-99BA-D60EACDB441F", "versionEndIncluding": "2.0.165.v8846cf59f3db"}], "operator": "OR"}]}], "sourceIdentifier": "jenkinsci-cert@googlegroups.com"}