VYPR
← All advisories
Moderate severityNVD Advisory· Published May 16, 2023· Updated Jan 23, 2025

CVE-2023-32983

CVE-2023-32983

Description

Jenkins Ansible Plugin does not mask extra variables in configuration forms, exposing sensitive data to attackers with view access.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Jenkins Ansible Plugin does not mask extra variables in configuration forms, exposing sensitive data to attackers with view access.

Vulnerability

Overview

CVE-2023-32983 affects the Jenkins Ansible Plugin up to version 204.v8191fd551eb_f. The plugin fails to properly mask extra variables (extraVars) when they are displayed on the configuration form, meaning that sensitive values such as passwords or API keys are shown in plain text in the Jenkins UI [1][2]. This is a flaw in the information exposure control, as the plugin should treat these variables as secret/hidden fields.

Exploitation and

Attack Surface

An attacker with at least Overall/Read permission (or Job/Configure permission for job-level configurations) can view the configuration form of a Jenkins job or global configuration that uses the Ansible Plugin. By navigating to the configuration page, the attacker can see the unmasked extra variable values in the form fields. No special network position or authentication bypass is required beyond having legitimate view access to the relevant configuration [1].

Impact

If an attacker can observe the extra variables, they may capture sensitive credentials or other secrets that were intended to be hidden. This could lead to unauthorized access to external systems (e.g., Ansible Tower, cloud services) or compromise of the CI/CD pipeline. The severity is considered medium, but the actual impact depends on the sensitivity of the data stored as extra variables [1][2].

Mitigation

The Jenkins security advisory [1] and the corresponding commit [3] show that the fix involves changing the API to use getSecretValue().getPlainText() instead of getValue() in tests, and the plugin now properly masks the extra variables. Users should upgrade to version 205.v3cb_f086e4e7d or later. There is no known workaround for older versions; immediate upgrade is recommended.

References
  1. Jenkins Security Advisory 2023-05-16
  2. NVD - CVE-2023-32983
  3. SECURITY-3017 · jenkinsci/ansible-plugin@4cbc486

AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected packages

Versions sourced from the GitHub Security Advisory.

PackageAffected versionsPatched versions
org.jenkins-ci.plugins:ansibleMaven
< 205.v4cb205.v4cb

Affected products

2

Patches

1
4cbc48657c21

SECURITY-3017

https://github.com/jenkinsci/ansible-pluginValentin DelayeMay 15, 2023via ghsa
commit
7 files changed · +34 20
  • src/main/java/org/jenkinsci/plugins/ansible/AbstractAnsibleInvocation.java+1 1 modified
    @@ -121,7 +121,7 @@ public ArgumentListBuilder appendExtraVars(ArgumentListBuilder args) {
         if (extraVars != null && ! extraVars.isEmpty()) {
             for (ExtraVar var : extraVars) {
                 args.add("-e");
-                String value = envVars.expand(var.getValue());
+                String value = envVars.expand(var.getSecretValue().getPlainText());
                 if (Pattern.compile("\\s").matcher(value).find()) {
                     value = Util.singleQuote(value);
                 }
  • src/main/java/org/jenkinsci/plugins/ansible/ExtraVar.java+19 8 modified
    @@ -18,42 +18,53 @@
 import hudson.Extension;
 import hudson.model.AbstractDescribableImpl;
 import hudson.model.Descriptor;
+import hudson.util.Secret;
+
 import org.kohsuke.stapler.DataBoundConstructor;
 import org.kohsuke.stapler.DataBoundSetter;
 
 public class ExtraVar extends AbstractDescribableImpl<ExtraVar> {
 
     public String key;
 
-    public String value;
+    public transient String value;
+
+    public Secret secretValue;
 
-    public boolean hidden;
+    public boolean hidden = true;
 
     @DataBoundConstructor
     public ExtraVar() {
     }
 
+    protected Object readResolve() {
+        if (value != null) {
+            this.setSecretValue(Secret.fromString(value));
+        }
+        return this;
+    }
+
     @DataBoundSetter
     public void setKey(String key) {
         this.key = key;
     }
 
     @DataBoundSetter
-    public void setValue(String value) {
-        this.value = value;
+    public void setHidden(boolean hidden) {
+        this.hidden = hidden;
     }
 
     @DataBoundSetter
-    public void setHidden(boolean hidden) {
-        this.hidden = hidden;
+    public void setSecretValue(Secret value) {
+        this.secretValue = value;
     }
 
     public String getKey() {
         return key;
     }
 
-    public String getValue() {
-        return value;
+    public Secret getSecretValue() {
+        return this.secretValue;
     }
 
     public boolean isHidden() {
  • src/main/java/org/jenkinsci/plugins/ansible/jobdsl/context/ExtraVarsContext.java+3 1 modified
    @@ -6,6 +6,8 @@
 import javaposse.jobdsl.dsl.Context;
 import org.jenkinsci.plugins.ansible.ExtraVar;
 
+import hudson.util.Secret;
+
 /**
  * @author pawbur (Pawel Burchard)
  */
@@ -15,7 +17,7 @@ public class ExtraVarsContext implements Context {
     public void extraVar(String key, String value, boolean hidden) {
         ExtraVar extraVar = new ExtraVar();
         extraVar.setKey(key);
-        extraVar.setValue(value);
+        extraVar.setSecretValue(Secret.fromString(value));
         extraVar.setHidden(hidden);
         this.extraVars.add(extraVar);
     }
  • src/main/java/org/jenkinsci/plugins/ansible/workflow/AnsiblePlaybookStep.java+3 2 modified
    @@ -38,6 +38,7 @@
 import hudson.model.Run;
 import hudson.model.TaskListener;
 import hudson.util.ListBoxModel;
+import hudson.util.Secret;
 import jenkins.model.Jenkins;
 import org.apache.commons.lang.StringUtils;
 import org.jenkinsci.plugins.ansible.AnsibleInstallation;
@@ -383,10 +384,10 @@ private List<ExtraVar> convertExtraVars(Map<String, Object> extraVars) {
                 var.setKey(entry.getKey());
                 Object o = entry.getValue();
                 if (o instanceof Map) {
-                    var.setValue(((Map)o).get("value").toString());
+                    var.setSecretValue((Secret)((Map)o).get("value"));
                     var.setHidden((Boolean)((Map)o).get("hidden"));
                 } else {
-                    var.setValue(o.toString());
+                    var.setSecretValue((Secret)o);
                     var.setHidden(false);
                 }
                 extraVarList.add(var);
  • src/main/resources/org/jenkinsci/plugins/ansible/AnsibleAdHocCommandBuilder/config.jelly+3 3 modified
    @@ -71,11 +71,11 @@
           <f:entry title="${%Key}" field="key">
             <f:textbox  clazz="required" />
           </f:entry>
-          <f:entry title="${%Value}" field="value">
-            <f:textbox clazz="required" />
+          <f:entry title="${%Value}" field="secretValue">
+            <f:password clazz="required" />
           </f:entry>
           <f:entry title="${%Hidden variable in build log}" field="hidden">
-            <f:checkbox default="false" />
+            <f:checkbox default="true" />
           </f:entry>
           <f:entry>
             <div align="right" class="repeatable-delete show-if-only">
  • src/main/resources/org/jenkinsci/plugins/ansible/AnsiblePlaybookBuilder/config.jelly+3 3 modified
    @@ -80,11 +80,11 @@
           <f:entry title="${%Key}" field="key">
             <f:textbox  clazz="required" />
           </f:entry>
-          <f:entry title="${%Value}" field="value">
-            <f:textbox clazz="required" />
+          <f:entry title="${%Value}" field="secretValue">
+            <f:password clazz="required" />
           </f:entry>
           <f:entry title="${%Hidden variable in build log}" field="hidden">
-            <f:checkbox default="false" />
+            <f:checkbox default="true" />
           </f:entry>
           <f:entry>
             <div align="right" class="repeatable-delete show-if-only">
  • src/test/java/org/jenkinsci/plugins/ansible/jobdsl/JobDslIntegrationTest.java+2 2 modified
    @@ -64,7 +64,7 @@ public void shouldCreateJobWithPlaybookDsl() throws Exception {
         assertThat("disableHostKeyChecking", step.disableHostKeyChecking, is(false));
         assertThat("additionalParameters", step.additionalParameters, is("params"));
         assertThat("extraVar.key", step.extraVars.get(0).getKey(), is("key"));
-        assertThat("extraVar.value", step.extraVars.get(0).getValue(), is("value"));
+        assertThat("extraVar.value", step.extraVars.get(0).getSecretValue().getPlainText(), is("value"));
         assertThat("extraVar.hidden", step.extraVars.get(0).isHidden(), is(true));
 
     }
@@ -93,7 +93,7 @@ public void shouldCreateJobWithLegacyPlaybookDsl() throws Exception {
         assertThat("disableHostKeyChecking", step.disableHostKeyChecking, is(true));
         assertThat("additionalParameters", step.additionalParameters, is("params"));
         assertThat("extraVar.key", step.extraVars.get(0).getKey(), is("key"));
-        assertThat("extraVar.value", step.extraVars.get(0).getValue(), is("value"));
+        assertThat("extraVar.value", step.extraVars.get(0).getSecretValue().getPlainText(), is("value"));
         assertThat("extraVar.hidden", step.extraVars.get(0).isHidden(), is(true));
 
     }

Vulnerability mechanics

Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

4

News mentions

1