CVE-2024-47803: Jenkins exposes multi-line secrets through error messages

October 2, 2024 (updated March 20, 2025)

Jenkins

Jenkins provides the secretTextarea form field for multi-line secrets.

Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.

This can result in exposure of multi-line secrets through those error messages, e.g., in the system log.

Jenkins 2.479, LTS 2.462.3 redacts multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.

References

github.com/advisories/GHSA-pj95-ph4q-4qm4
nvd.nist.gov/vuln/detail/CVE-2024-47803
www.jenkins.io/security/advisory/2024-10-02/

Code Behaviors & Features

Detect and mitigate CVE-2024-47803 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →