Cleartext storage of sensitive information in Ansible - CVE-2023-32982
Published: May 17, 2023
Vulnerability identifier: #VU76240
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2023-32982
CWE-ID: CWE-312
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Jenkins
Affected software:
Ansible
Ansible
Detailed vulnerability description
The vulnerability allows a remote attacker to gain access to potentially sensitive information.
The vulnerability exists due to the affected plugin stores these extra variables unencrypted in job config.xml files on the Jenkins controller as part of its configuration. A remote user can view these extra variables.
How to mitigate CVE-2023-32982
Install updates from vendor's website.