CVE-2023-41934

Vulnerability

Description

The Jenkins Pipeline Maven Integration Plugin, versions 1330.v18e473854496 and earlier, contains a flaw in credential masking. When a user configures custom Maven settings in a Pipeline and checks the 'Treat username as secret' option for credentials, the plugin does not properly replace the username with asterisks in build logs. This results in the actual username being exposed in plain text rather than being masked [1][2][3].

Exploitation

To exploit this vulnerability, an attacker must have access to Pipeline build logs produced by Jenkins. The prerequisite is that a credential is configured in a custom Maven setting with the 'Treat username as secret' option enabled. Any user with permission to view build output logs could then see the unmasked username. No special network position or authentication bypass is required; the attacker simply needs visibility into the logs where the credential is used [1][2].

Impact

The impact is the unintended disclosure of credential usernames. While the password is not directly exposed (only the username is unmasked), this information can aid an attacker in subsequent attacks, such as targeted credential guessing or social engineering. In environments where usernames are considered sensitive secrets, this represents a serious confidentiality breach [1][3].

Mitigation

The vulnerability is fixed in Pipeline Maven Integration Plugin version 1331.v003efa_fd6e81. Users should upgrade to this version immediately. The fix ensures that credential usernames are correctly masked with asterisks in build logs when the 'Treat username as secret' option is enabled. No workarounds are documented [1][2].