CVE-2024-47805
📋 TL;DR
The Jenkins Credentials Plugin vulnerability exposes encrypted credential values stored as SecretBytes when accessing item configuration files via REST API or CLI. This allows authenticated users with appropriate permissions to retrieve sensitive encrypted data that should remain redacted. Organizations using affected Jenkins instances with the Credentials Plugin are impacted.
💻 Affected Systems
- Jenkins Credentials Plugin
📦 What is this software?
Credentials by Jenkins
Credentials by Jenkins
⚠️ Risk & Real-World Impact
Worst Case
Attackers with authenticated access could extract encrypted credential values, potentially decrypting them to gain unauthorized access to sensitive systems and data.
Likely Case
Authorized users with item configuration access could inadvertently or intentionally view encrypted credential values that should be hidden, compromising credential security.
If Mitigated
With proper access controls and network segmentation, only trusted administrators could access the vulnerable endpoints, limiting exposure.
🎯 Exploit Status
Exploitation requires authenticated access and knowledge of REST API endpoints or CLI commands.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 1380.va_435002fa_925 or later
Vendor Advisory: https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3373
Restart Required: Yes
Instructions:
1. Update Jenkins Credentials Plugin to version 1380.va_435002fa_925 or later via Jenkins Plugin Manager. 2. Restart Jenkins instance. 3. Verify plugin version after restart.
🔧 Temporary Workarounds
Restrict API and CLI Access
allLimit access to Jenkins REST API and CLI to only trusted administrators who require it for operations.
Configure Jenkins security matrix to restrict 'Overall/Read' and 'Job/Configure' permissions
🧯 If You Can't Patch
- Implement strict access controls to limit who can access Jenkins REST API and CLI endpoints
- Monitor and audit access to item configuration files and REST API endpoints for suspicious activity
🔍 How to Verify
Check if Vulnerable:
Check Jenkins Credentials Plugin version in Manage Jenkins > Plugin Manager. If version is 1380.va_435002fa_924 or earlier (except 1371.1373.v4eb_fa_b_7161e9), system is vulnerable.Check Version:
curl -s http://jenkins-host/pluginManager/installed | grep -A2 'credentials'Verify Fix Applied:
Verify plugin version is 1380.va_435002fa_925 or later after update. Test accessing item config.xml via REST API to confirm encrypted values are properly redacted.📡 Detection & Monitoring
Log Indicators:
- Unusual access patterns to /job/*/config.xml endpoints
- Multiple failed authentication attempts followed by successful config.xml access
Network Indicators:
- HTTP requests to Jenkins REST API config.xml endpoints from unexpected sources
SIEM Query:
source="jenkins.log" AND (uri_path="/job/*/config.xml" OR uri_path="/api/xml") AND (http_method="GET" OR http_method="POST")