CVE-2024-47805: 
Java vulnerability analysis and mitigation

Jenkins Credentials Plugin versions up to 1380.va435002fa924 (except 1371.1373.v4ebfab_7161e9) contain a security vulnerability identified as CVE-2024-47805. The vulnerability was discovered by Kevin Guerroudj from CloudBees, Inc. and was publicly disclosed on October 2, 2024. This vulnerability affects the plugin's handling of encrypted credentials using the SecretBytes type when accessing item config.xml through REST API or CLI (Jenkins Advisory).

The vulnerability stems from the plugin's failure to properly redact encrypted values of credentials that use the SecretBytes type, such as Certificate credentials or Secret file credentials from Plain Credentials Plugin. This issue specifically affects the handling of encrypted values when accessing item config.xml via REST API or CLI. The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (HIGH) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (NVD).

The vulnerability allows attackers with Item/Extended Read permission to view encrypted SecretBytes values in credentials. This exposure of sensitive credential information could potentially lead to unauthorized access to protected resources or systems. The issue is similar to a previous vulnerability (SECURITY-266) from the 2016-05-11 security advisory, which affected the Secret type used for inline secrets and some credentials types (Jenkins Advisory).

Users should upgrade to Credentials Plugin version 1381.v2c3a12074dab_ which redacts the encrypted values of credentials using the SecretBytes type in item config.xml files. However, it's important to note that this fix is only effective on Jenkins 2.479 and newer, or LTS 2.462.3 and newer. While the fixed plugin version can be installed on Jenkins 2.463 through 2.478, the vulnerability will still persist in these versions (Jenkins Advisory).