CVE-2023-43494: 
Java vulnerability analysis and mitigation

CVE-2023-43494 is a security vulnerability discovered in Jenkins, affecting versions 2.50 through 2.423 and LTS versions 2.60.1 through 2.414.1. The vulnerability was disclosed on September 20, 2023, and allows attackers with Item/Read permission to obtain values of sensitive build variables by exploiting the build history widget's search functionality (Jenkins Advisory, OSS Security).

The vulnerability exists in Jenkins' build history widget search functionality, which allows filtering builds by specifying expressions that search through build names, descriptions, and parameter values. The core issue is that sensitive build variables, including password parameter values, were not excluded from this search capability. This allows attackers to discover sensitive values through an iterative process of testing different characters until the correct sequence is found. The vulnerability has been assigned a CVSS v3.1 base score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability enables attackers with Item/Read permission to extract sensitive information from build variables, such as password parameters, by using an iterative character-testing approach through the build history widget's search functionality. This could lead to the unauthorized disclosure of sensitive credentials or configuration data stored in build variables (Jenkins Advisory).

The vulnerability has been fixed in Jenkins 2.424 and LTS 2.414.2, which exclude sensitive variables from the build history widget search functionality. Users are strongly advised to upgrade to these versions or later to address the vulnerability. No alternative workarounds have been provided (Jenkins Advisory).