4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-30514

CVE-2023-30514: Jenkins Azure Key Vault Plugin does not properly mask credentials

Multiple Jenkins plugins do not properly mask (i.e., replace with asterisks) credentials printed in the build log from Pipeline steps like sh and bat, when both of the following conditions are met:

The credentials are printed in build steps executing on an agent (typically inside a node block).
Push mode for durable task logging is enabled. This is a hidden option in Pipeline: Nodes and Processes that can be enabled through the Java system property org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING. It is also automatically enabled by some plugins, e.g., OpenTelemetry and Pipeline Logging over CloudWatch.

The following plugins are affected by this vulnerability:

Kubernetes 3909.v1f2c633e8590 and earlier (SECURITY-3079 / CVE-2023-30513)
Azure Key Vault 187.va_cd5fecd198a_ and earlier (SECURITY-3051 / CVE-2023-30514)
Thycotic DevOps Secrets Vault 1.0.0 (SECURITY-3078 / CVE-2023-30515)

The following plugins have been updated to properly mask credentials in the build log when push mode for durable task logging is enabled:

Kubernetes 3910.ve59cec5e33ea_ (SECURITY-3079 / CVE-2023-30513)
Azure Key Vault 188.vf46b_7fa_846a_1 (SECURITY-3051 / CVE-2023-30514)

As of publication of this advisory, there is no fix available for the following plugin:

Thycotic DevOps Secrets Vault 1.0.0 (SECURITY-3078 / CVE-2023-30515)

(GitHub Advisory)

Miggo Vulnerability Database

→

CVE-2023-30514

CVE-2023-30514:

4.3

CVSS Score

3.1

-

CVSS Score

Basic Information

Technical Details

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:azure-keyvault	maven	< 188.vf46b	188.vf46b

Technical Details

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from improper credential masking in Jenkins' push mode logging (DurableTaskStep.USE_WATCHING). Key functions would be those handling: 1) Secret retrieval from Azure Key Vault 2) Logging during pipeline step execution. The AzureKeyVaultStepExecution.run() is the most likely location where retrieved secrets enter the build context and could be logged unmasked. AzureCredentialsProvider.getCredentials() is implicated as the source of credential exposure if not properly wrapped for masking. Confidence is medium due to lack of direct patch code, but grounded in Jenkins' credential handling patterns and the advisory's technical details about push mode logging being the trigger.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.W** rul*s *v*il**l* *or Mi**o *ustom*rs only.

Reasoning

*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.*v*il**l* *or Mi**o *ustom*rs only.

4.3

-

Basic Information

Basic Information

Concerned about an active attack path?

CVE-2023-30514: Jenkins Azure Key Vault Plugin does not properly mask credentials

CVE-2023-30514:

4.3

-

Basic Information

Basic Information

Technical Details

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability IntelligenceMiggo AI

Technical Details

CVE-2023-30514: Jenkins Azure Key Vault Plugin does not properly mask credentials

Basic Information

Basic Information

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

4.3

4.3

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI

Vulnerability Intelligence
Miggo AI