Chef Identity Plugin stores the user.pem key in its global configuration file `io.chef.jenkins.ChefIdentityBuildWrapper.xml` on the Jenkins controller as part of its configuration.

While this key is stored encrypted on disk, in Chef Identity Plugin 2.0.3 and earlier the global configuration form does not mask the user.pem key form field, increasing the potential for attackers to observe and capture it.

Affected Packages

Maven org.jenkins-ci.plugins:chef-identity

Affected versions: 0 (last affected: 2.0.3)

Related CVEs

CVE-2023-39155

Key Information

GHSA ID

GHSA-5jc5-m87x-88fj

Published

July 26, 2023 3:30 PM

Last Modified

August 1, 2023 9:39 PM

CVSS Score

2.5 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:chef-identity

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 24, 2025 6:28 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.