Secret displayed without masking by Chef Identity Plugin

2023-07-2615:30:57

Google

osv.dev

chef identity plugin

user.pem key

global configuration file

jenkins controller

unmasked

potential attackers

5.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

0.001 Low

EPSS

Percentile

19.5%

JSON

Chef Identity Plugin stores the user.pem key in its global configuration file io.chef.jenkins.ChefIdentityBuildWrapper.xml on the Jenkins controller as part of its configuration.

While this key is stored encrypted on disk, in Chef Identity Plugin 2.0.3 and earlier the global configuration form does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.

CPENameOperatorVersion
org.jenkins-ci.plugins:chef-identityeq0.1.1
org.jenkins-ci.plugins:chef-identityeq0.1.3
org.jenkins-ci.plugins:chef-identityeq2.0.3
org.jenkins-ci.plugins:chef-identityeq0.1.2
org.jenkins-ci.plugins:chef-identityeq1.0.0
org.jenkins-ci.plugins:chef-identityeq0.1.4

Name	Operator	Version
org.jenkins-ci.plugins:chef-identity	eq	0.1.1
org.jenkins-ci.plugins:chef-identity	eq	0.1.3
org.jenkins-ci.plugins:chef-identity	eq	2.0.3
org.jenkins-ci.plugins:chef-identity	eq	0.1.2
org.jenkins-ci.plugins:chef-identity	eq	1.0.0
org.jenkins-ci.plugins:chef-identity	eq	0.1.4