CVE-2023-39155: 
Java vulnerability analysis and mitigation

CVE-2023-39155 affects the Jenkins Chef Identity Plugin versions 2.0.3 and earlier. The vulnerability was discovered by Andrea Chiera from CloudBees, Inc. and was publicly disclosed on July 26, 2023. The issue exists in the plugin's handling of the user.pem key in its global configuration form (Jenkins Advisory, OSS Security).

The vulnerability stems from the Chef Identity Plugin storing the user.pem key in its global configuration file 'io.chef.jenkins.ChefIdentityBuildWrapper.xml' on the Jenkins controller. While the key is stored encrypted on disk, the global configuration form does not mask the user.pem key form field. The vulnerability has been assigned a CVSS v3.1 Base Score of 5.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability increases the potential for attackers to observe and capture the user.pem key, which could lead to unauthorized access to sensitive configuration information. The severity is rated as Low according to the Jenkins security advisory (Jenkins Advisory).

As of the publication of the security advisory, there is no fix available for this vulnerability in the Chef Identity Plugin. Users should be aware of the risk and take appropriate precautions to limit access to the global configuration form (Jenkins Advisory).