CVE-2023-30513
Description
Jenkins Kubernetes Plugin ≤3909.v1f2c633e8590 fails to mask credentials in build logs when push mode for durable task logging is enabled.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Jenkins Kubernetes Plugin ≤3909.v1f2c633e8590 fails to mask credentials in build logs when push mode for durable task logging is enabled.
The Jenkins Kubernetes Plugin up to version 3909.v1f2c633e8590 contains a vulnerability where credentials are not properly masked (i.e., replaced with asterisks) in the build log when push mode for durable task logging is enabled [1][3]. This failure occurs specifically when credentials are printed in build steps executing on an agent, typically inside a node block, and the push mode for durable task logging is active [1]. Push mode is a hidden option in Pipeline: Nodes and Processes that can be enabled through the Java system property org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING, and it may also be automatically enabled by plugins such as OpenTelemetry and Pipeline Logging over CloudWatch [1].
To exploit this issue, an attacker would need to have access to the build logs where the credentials were printed. The vulnerability does not require authentication to exploit the logging weakness itself, but the attacker must be able to view the build log output [1]. The prerequisite is that the Kubernetes Plugin is configured in a way that push mode for durable task logging is enabled, and that a Pipeline step (like sh or bat) prints credentials during execution on an agent [1].
The impact of successful exploitation is the exposure of sensitive credentials in plaintext within the build log, which could allow an attacker with access to those logs to obtain secret information such as API tokens, passwords, or other authentication material [1][3]. This leakage undermines the security guarantees of credential masking and could lead to further compromise of Jenkins-integrated systems.
The issue has been addressed in Kubernetes Plugin version 3910.ve59cec5e33ea_, which properly masks credentials when push mode for durable task logging is enabled [1][2]. Users are strongly advised to update to this version or later to mitigate the risk [1]. No workarounds are mentioned in the advisory; however, disabling push mode for durable task logging (if not required) would prevent the vulnerability from being exploited [1].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.csanchez.jenkins.plugins:kubernetesMaven | < 3910.ve59cec5e33ea | 3910.ve59cec5e33ea |
Affected products
2- Range: 3910.ve59cec5e33ea_
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-v5hq-cqqr-6w4gghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2023-30513ghsaADVISORY
- www.jenkins.io/security/advisory/2023-04-12/ghsavendor-advisoryWEB
- www.openwall.com/lists/oss-security/2023/04/13/3ghsaWEB
News mentions
1- Jenkins Security Advisory 2023-04-12Jenkins Security Advisories · Apr 12, 2023