CVE-2023-40340: Jenkins NodeJS Plugin improper credential masking vulnerability

August 16, 2023 (updated August 18, 2023)

Jenkins NodeJS Plugin 1.6.0 and earlier does not properly mask (i.e., replace with asterisks) credentials specified in the Npm config file in Pipeline build logs.

References

www.openwall.com/lists/oss-security/2023/08/16/3
github.com/advisories/GHSA-36fg-whr2-g999
nvd.nist.gov/vuln/detail/CVE-2023-40340
www.jenkins.io/security/advisory/2023-08-16/

Detect and mitigate CVE-2023-40340 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →