CVE-2024-47803

Vulnerability

Description

The secretTextarea form field in Jenkins is designed to handle multi-line secrets securely, such as private keys or sensitive configuration files. However, in Jenkins versions 2.478 and earlier, as well as LTS 2.462.2 and earlier, when a form submission involving this field encounters an error, the generated error messages include the full, unredacted secret value [2]. This oversight means that if a validation failure or other form error occurs, the plaintext secret can be written to the system log or other error output channels [1][2].

Exploitation

Scenario

An attacker does not need high privileges to trigger this information leak. Any user who can submit a form containing a secretTextarea field can intentionally cause a form error (e.g., by providing invalid input in another required field) and then access the resulting error message. While Jenkins controls access to system logs, internal monitoring tools or shared logging infrastructure might expose these messages to a wider audience [1][2]. The attack does not require a special network position beyond normal user access to the Jenkins web interface.

Impact

If successfully exploited, multi-line secrets such as SSH private keys, API tokens, or other sensitive configuration content can be disclosed. This could lead to unauthorized access to connected systems, credential compromise, or lateral movement within an organization's infrastructure [2]. The severity is considered Medium (CVSS not yet provided by NVD).

Mitigation

Jenkins has addressed this issue in versions 2.479 (weekly) and 2.462.3 (LTS) by ensuring that multi-line secret values are redacted in error messages for secretTextarea form submissions [2]. Users should upgrade to these or later versions. No workaround is documented, as the fix requires updating Jenkins core.