CVE-2023-40340 — Jenkins NodeJS Plugin improper credential masking vulnerability

Description

Jenkins NodeJS Plugin integrates with Config File Provider Plugin to specify custom NPM settings, including credentials for authentication, in a Npm config file. NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs. NodeJS Plugin 1.6.1 masks credentials specified in the Npm config file in Pipeline build logs.

How to fix CVE-2023-40340

To remediate CVE-2023-40340, upgrade the affected package to a fixed version below.

—upgrade to 1.6.1 or later

Is CVE-2023-40340 being exploited?

Low — EPSS is 0.2%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

from 0, < 1.6.1

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 3.1	MEDIUM4.3	CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

References (4)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2023-40340
WEBgithub.com/jenkinsci/nodejs-plugin/commit/a2198feb53765f0b1f063b1827e90473a60a25a0
WEBwww.jenkins.io/security/advisory/2023-08-16/#SECURITY-3196
WEBwww.openwall.com/lists/oss-security/2023/08/16/3