First published: Wed Jul 26 2023(Updated: )
Chef Identity Plugin stores the user.pem key in its global configuration file `io.chef.jenkins.ChefIdentityBuildWrapper.xml` on the Jenkins controller as part of its configuration. While this key is stored encrypted on disk, in Chef Identity Plugin 2.0.3 and earlier the global configuration form does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.
Credit: jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com jenkinsci-cert@googlegroups.com
Affected Software | Affected Version | How to fix |
---|---|---|
Jenkins Chef Identity | <=2.0.3 |
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
The severity of CVE-2023-39155 is medium with a CVSS score of 5.3.
Jenkins Chef Identity Plugin 2.0.3 and earlier does not mask the user.pem key form field.
The user.pem key is stored in the global configuration file 'io.chef.jenkins.ChefIdentityBuildWrapper.xml' on the Jenkins controller.
The impact of CVE-2023-39155 is that the user.pem key in Jenkins Chef Identity Plugin could be accessed by unauthorized users.
To fix CVE-2023-39155, you should update Jenkins Chef Identity Plugin to version 2.0.4 or later.