CVE-2023-30514

Vulnerability

Description

The Jenkins Azure Key Vault Plugin versions 187.va_cd5fecd198a_ and earlier fails to properly mask credentials when they are printed in the build log from Pipeline steps (e.g., sh and bat) under specific conditions [1]. This occurs when push mode for durable task logging is enabled, either via the Java system property org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING or automatically by plugins like OpenTelemetry and Pipeline Logging over CloudWatch [1].

Attack

Vector

To exploit this issue, the attacker must have access to the build logs where credentials are printed during execution on an agent (typically inside a node block) [1]. No additional privileges are required beyond the ability to view build logs, as the credentials are inadvertently exposed as plaintext [1].

Impact

An attacker with access to the build log can extract sensitive credentials, such as Azure Key Vault secrets, that were intended to be masked [1]. This could lead to unauthorized access to resources protected by those credentials [1].

Mitigation

The vulnerability has been addressed in Azure Key Vault Plugin version 188.vf46b_7fa_846a_1, which properly masks credentials in the build log under the affected conditions [1]. Users are advised to update to this version or later [1].