CVE-2023-39155 — Secret displayed without masking by Chef Identity Plugin

Description

Chef Identity Plugin stores the user.pem key in its global configuration file `io.chef.jenkins.ChefIdentityBuildWrapper.xml` on the Jenkins controller as part of its configuration. While this key is stored encrypted on disk, in Chef Identity Plugin 2.0.3 and earlier the global configuration form does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.

How to fix CVE-2023-39155

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

—no fix listed

Is CVE-2023-39155 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, <= 2.0.3

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	LOW3.1	CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-39155
WEBwww.jenkins.io/security/advisory/2023-07-26/#SECURITY-3192
WEBwww.openwall.com/lists/oss-security/2023/07/26/2