Jenkins exposes multi-line secrets through error messages

GHSA-pj95-ph4q-4qm4 · BIT-jenkins-2024-47803 · CVE-2024-47803

Published Oct 2, 2024 · Modified Feb 4, 2026

Description

Jenkins

Jenkins provides the secretTextarea form field for multi-line secrets.

Jenkins 2.478 and earlier, LTS 2.462.2 and earlier does not redact multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.

This can result in exposure of multi-line secrets through those error messages, e.g., in the system log.

Jenkins 2.479, LTS 2.462.3 redacts multi-line secret values in error messages generated for form submissions involving the secretTextarea form field.

References

ADVISORY https://nvd.nist.gov/vuln/detail/CVE-2024-47803
WEB https://www.jenkins.io/security/advisory/2024-10-02/#SECURITY-3451

Ready to move

Start Securing

Start for Free Get Demo

Free, no credit card | First findings in minutes