Vulnerability Description
Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs.
CVSS Score
7.5
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Jenkins | Nodejs | <= 1.6.0 |
References
- http://www.openwall.com/lists/oss-security/2023/08/16/3Mailing ListThird Party Advisory
- https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3196Vendor Advisory
- http://www.openwall.com/lists/oss-security/2023/08/16/3Mailing ListThird Party Advisory
- https://www.jenkins.io/security/advisory/2023-08-16/#SECURITY-3196Vendor Advisory
FAQ
What is CVE-2023-40340?
CVE-2023-40340 is a vulnerability with a CVSS score of 7.5 (HIGH). Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs.
How severe is CVE-2023-40340?
CVE-2023-40340 has been rated HIGH with a CVSS base score of 7.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2023-40340?
Check the references section above for vendor advisories and patch information. Affected products include: Jenkins Nodejs.