CVE CyberSecurity Database News

CVE-2023-39152 - Jenkins Gradle Plugin’s Masking Bug That Can Leak Credentials

Poster -

In mid-2023, a security vulnerability surfaced in the widely-used Jenkins Gradle Plugin (version 2.8 and below). This flaw, tracked as CVE-2023-39152, involves improper control flow for masking sensitive information, exposing user credentials in build logs. This is a serious concern for any team using Jenkins for continuous integration and delivery because exposed secrets in logs can be easily retrieved by anyone who has access to the job logs. In this post, we’ll break down what happened, how the code went wrong, and what you should do about it.  

What Exactly Is CVE-2023-39152?

CVE-2023-39152 is a vulnerability in the Gradle Plugin for Jenkins (version 2.8 and older). This plugin helps Jenkins run Gradle tasks as build steps. However, when it comes to logging, the plugin fails to always mask sensitive credentials like passwords or tokens—even if configured to do so.

The Problem

Normally, Jenkins plugins use “masking” for environment variables marked as sensitive, replacing their values with "<b></b>" in the log output, even if the code or commands echo them by accident. In this plugin, an always-incorrect control flow implementation meant credentials might not be masked in some circumstances.  

What does that mean? In simple terms, even if users set secrets as protected, the plugin sometimes displayed them in plain text in the job’s log output—dangerous in environments with multiple users or poorly secured logs.

Here’s a simplified version of the problematic Groovy code found in affected versions

if (!envVarsMasker.isMasked(envVar)) {
    // Output credential in plain-text – BAD!
    listener.logger.println("Using secret: ${envVar}")
} else {
    listener.logger.println("Using secret: ")
}

What Went Wrong?

Due to the way envVarsMasker.isMasked() was implemented and called, this control flow always did the wrong thing:

In other cases, even masked variables got dumped as plain text.

Instead, proper masking should never leak secrets, regardless of logic errors.

Jenkins Pipeline Example

pipeline {
    environment {
        SECRET_KEY = credentials('my-secret-api-key')
    }
    stages {
        stage('Test Gradle Build') {
            steps {
                gradle 'clean build'
            }
        }
    }
}

If you echo out the variable (or if Gradle scripts print it), proper masking should result in logs like:

[Gradle] Using secret:

But due to CVE-2023-39152, your build log might instead contain

[Gradle] Using secret: A1b2C3d4E5F6g7H8I9J

Anyone who can read the build log can now copy your API key!

Exploit Details

- Attack Scenario: An attacker with Jenkins read privileges (for job logs) simply inspects past build output.

Original References

- Jenkins Security Advisory 2023-07-12
- National Vulnerability Database: CVE-2023-39152
- Jenkins Gradle Plugin GitHub

Conclusion

CVE-2023-39152 serves as a reminder: simple bugs in masking logic can have dangerous consequences when continuous integration environments handle credentials. Always keep your plugins fresh, and be aware that even minor oversights can have outsized impacts. If you use Jenkins' Gradle Plugin, check your version, upgrade if needed, and review your job logs for accidental leaks.


*Stay safe, and keep your CI/CD secrets secret!* 🚦

Timeline

Published on: 07/26/2023 14:15:00 UTC
Last modified on: 07/31/2023 18:13:00 UTC