CVE-2023-43494

MEDIUM

Jenkins 2.50-2.423 LTS 2.60.1-2.414.1 - Info Disclosure

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 1 public exploit for CVE-2023-43494. PoCs published by mqxmm.

AI-analyzed exploit summary The repository contains a Python script that checks for the presence of CVE-2023-43494 in Jenkins by sending a crafted HTTP request and analyzing the response for a specific table structure. It does not exploit the vulnerability but scans for its presence.

Description

Jenkins 2.50 through 2.423 (both inclusive), LTS 2.60.1 through 2.414.1 (both inclusive) does not exclude sensitive build variables (e.g., password parameter values) from the search in the build history widget, allowing attackers with Item/Read permission to obtain values of sensitive variables used in builds by iteratively testing different characters until the correct sequence is discovered.

Exploits (1)

nomisec SCANNER
by mqxmm · poc
https://github.com/mqxmm/CVE-2023-43494

The repository contains a Python script that checks for the presence of CVE-2023-43494 in Jenkins by sending a crafted HTTP request and analyzing the response for a specific table structure. It does not exploit the vulnerability but scans for its presence.

Classification
Scanner 90%
Attack Type
Info Leak
Complexity
Trivial
Reliability
Reliable
Target: Jenkins 2.50 through 2.423, LTS 2.60.1 through 2.414.1
No auth needed
Prerequisites: Access to the Jenkins web interface
devstral-2 · analyzed Feb 19, 2026 Full analysis →

References (2)

Core 2
Core References
Mailing List, Third Party Advisory
http://www.openwall.com/lists/oss-security/2023/09/20/5

Scores

CVSS v3 4.3
EPSS 0.4915
EPSS Percentile 97.9%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CISA SSVC

Vulnrichment
Exploitation none
Automatable no
Technical Impact partial

Details

Status published
Products (3)
jenkins/jenkins 2.50 - 2.424
jenkins/jenkins 2.60.1 - 2.414.2
org.jenkins-ci.main/jenkins-core 2.50 - 2.414.2Maven
Published Sep 20, 2023
Tracked Since Feb 18, 2026