CVE-2024-28154: Jenkins MQ Notifier Plugin exposes sensitive information in build logs

March 6, 2024 (updated January 21, 2025)

Jenkins MQ Notifier Plugin 1.4.0 and earlier logs potentially sensitive build parameters as part of debug information in build logs by default.

References

github.com/advisories/GHSA-8fm4-r23p-v68v
github.com/jenkinsci/mq-notifier-plugin
github.com/jenkinsci/mq-notifier-plugin/commit/46c9f228a3317eb87562bc3d99f7e184bdcecbfe
nvd.nist.gov/vuln/detail/CVE-2024-28154
www.jenkins.io/security/advisory/2024-03-06/

Code Behaviors & Features

Detect and mitigate CVE-2024-28154 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →