CVE-2024-47803: 
Java vulnerability analysis and mitigation

Jenkins 2.478 and earlier, LTS 2.462.2 and earlier contains a vulnerability where multi-line secret values in error messages generated for form submissions involving the secretTextarea form field are not properly redacted. This vulnerability was discovered and assigned CVE-2024-47803, with a medium severity CVSS v3.1 base score of 4.3 (Jenkins Advisory, NVD).

The vulnerability is related to the secretTextarea form field functionality in Jenkins, which is used for handling multi-line secrets. The issue stems from improper redaction of secret values in error messages generated during form submissions, potentially exposing sensitive information in system logs. This vulnerability has been classified as CWE-209 (Generation of Error Message Containing Sensitive Information) and received a CVSS v3.1 vector of CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N (NVD).

The vulnerability can result in the exposure of multi-line secrets through error messages, particularly in the system log. This issue is similar to a previous vulnerability (SECURITY-765) reported in the 2018-10-10 security advisory (Jenkins Advisory).

The vulnerability has been fixed in Jenkins 2.479 and LTS 2.462.3, which properly redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field. Users are advised to upgrade to these versions or newer to address the vulnerability (Jenkins Advisory).