CVE-2023-33001

Vulnerability

Overview Jenkins HashiCorp Vault Plugin 360.v0a_1c04cf807d and earlier does not properly mask (i.e., replace with asterisks) credentials in the build log when push mode for durable task logging is enabled [1][2]. The plugin fails to apply the usual credential masking mechanism under this specific logging configuration, leading to exposure of sensitive values.

Exploitation and

Impact An attacker with access to build logs (e.g., users with Job/Read permission) can view plaintext credentials, such as tokens or passwords, that were retrieved from HashiCorp Vault during a build. No additional authentication is required beyond standard Jenkins access to view build logs [1]. This vulnerability is particularly concerning in shared CI/CD environments where build logs are accessible to multiple users.

Mitigation

Jenkins has addressed this issue in HashiCorp Vault Plugin version 361.v3a_0b_8c2c0a_a_ or later [1]. Users should upgrade to the fixed version immediately. For those unable to upgrade, disabling push mode for durable task logging is a potential workaround, though upgrading is the recommended action [1].