Miggo Logo
Miggo Vulnerability Database
CVE-2023-40339

CVE-2023-40339:
Jenkins Config File Provider Plugin improper credential masking vulnerability

4.3

CVSS Score
3.1

Basic Information

CVE ID
CVE-2023-40339
GHSA ID
GHSA-pv2g-vm98-vjxf
EPSS Score
0.40742%
CWE
-
Published
8/16/2023
Updated
1/5/2024
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.jenkins-ci.plugins:config-file-providermaven< 953.v0432a953.v0432a

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability stemmed from credential-containing configuration files being written to build logs without masking. The key functions are the content supply methods in ConfigProvider and its implementations (AbstractCustomProvider/AbstractMavenSettingsProvider), which provided credential-embedded content but did not implement the mechanism to identify sensitive strings for masking. The patch added getSensitiveContentForMasking to collect credentials and a ConsoleLogFilter to mask them, confirming these functions were the root cause. The ConfigFileBuildWrapper's lack of masking decorator in older versions further corroborates this analysis.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *on*i* *il* Provi**r Plu*in ***.v*_****_*****_** *n* **rli*r *o*s not m*sk (i.*., r*pl*** wit* *st*risks) *r***nti*ls sp**i*i** in *on*i*ur*tion *il*s w**n t**y’r* writt*n to t** *uil* lo*. *on*i* *il* Provi**r Plu*in ***.v*****_******* m*sk

Reasoning

T** vuln*r**ility st*mm** *rom *r***nti*l-*ont*inin* *on*i*ur*tion *il*s **in* writt*n to *uil* lo*s wit*out m*skin*. T** k*y *un*tions *r* t** *ont*nt supply m*t*o*s in `*on*i*Provi**r` *n* its impl*m*nt*tions (`**str**t*ustomProvi**r/**str**tM*v*nS