CVE-2024-47803
📋 TL;DR
Jenkins versions 2.478 and earlier (including LTS 2.462.2 and earlier) fail to properly redact multi-line secret values in error messages when form submissions involve the secretTextarea field. This allows authenticated users to potentially view sensitive credentials or tokens that should remain hidden. The vulnerability affects all Jenkins instances using the vulnerable versions.
💻 Affected Systems
- Jenkins
📦 What is this software?
Jenkins by Jenkins
Jenkins by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
An authenticated attacker could extract sensitive credentials (API keys, passwords, tokens) from error messages, leading to credential theft, privilege escalation, or lateral movement within the environment.
Likely Case
Authenticated users accidentally or intentionally trigger error conditions to expose multi-line secrets they shouldn't have access to, potentially compromising other systems or services.
If Mitigated
With proper access controls and monitoring, exposure would be limited to secrets the user already has legitimate access to, minimizing additional risk.
🎯 Exploit Status
Exploitation requires authenticated access to Jenkins and knowledge of how to trigger error conditions with secret-containing forms.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Jenkins 2.479, Jenkins LTS 2.462.3
Vendor Advisory: https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3451
Restart Required: Yes
Instructions:
1. Backup your Jenkins instance. 2. Upgrade to Jenkins 2.479 or Jenkins LTS 2.462.3 or later. 3. Restart Jenkins service. 4. Verify upgrade completed successfully.
🔧 Temporary Workarounds
Disable error message exposure
allConfigure Jenkins to suppress detailed error messages in production environments.
Set system property -Dhudson.diagnosis.HudsonHomeDiskUsageChecker.enabled=false
Configure logging to suppress stack traces
Restrict secretTextarea usage
allAudit and remove unnecessary secretTextarea form fields from Jenkins configurations.
Review Jenkins job configurations
Remove secretTextarea fields where possible
🧯 If You Can't Patch
- Implement strict access controls to limit which users can access Jenkins forms containing secrets.
- Monitor Jenkins logs for unusual error messages containing secret patterns and alert on detection.
🔍 How to Verify
Check if Vulnerable:
Check Jenkins version via Manage Jenkins > About Jenkins or via CLI with 'java -jar jenkins.war --version'.Check Version:
java -jar jenkins.war --versionVerify Fix Applied:
Verify Jenkins version is 2.479 or later (or LTS 2.462.3 or later) and test that multi-line secrets in secretTextarea fields are properly redacted in error messages.📡 Detection & Monitoring
Log Indicators:
- Error logs containing unredacted multi-line secret patterns
- Unusual frequency of form submission errors
Network Indicators:
- HTTP POST requests to Jenkins forms with secretTextarea fields resulting in error responses
SIEM Query:
source="jenkins.log" AND ("secretTextarea" OR "form submission error") AND NOT "redacted"