{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/debian10els/vex/2023/cve-2023-32982-els_os-debian10els.json" } ], "tracking": { "current_release_date": "2026-06-18T16:39:02Z", "generator": { "date": "2026-06-19T11:04:14Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2023-32982-ELS_OS-DEBIAN10ELS", "initial_release_date": "2023-05-16T16:15:00Z", "revision_history": [ { "date": "2023-05-16T16:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-06-18T16:39:02Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "Security update on CVE-2023-32982" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Debian 10", "product": { "name": "Debian 10", "product_id": "Debian-10", "product_identification_helper": { "cpe": "cpe:2.3:o:debian:debian_linux:10:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Debian" }, { "branches": [ { "category": "product_version", "name": "ansible-0:2.7.7+dfsg-1+deb10u2.all", "product": { "name": "ansible-0:2.7.7+dfsg-1+deb10u2.all", "product_id": "ansible-0:2.7.7+dfsg-1+deb10u2.all", "product_identification_helper": { "purl": "pkg:deb/debian/ansible@2.7.7%2Bdfsg-1%2Bdeb10u2?arch=all" } } }, { "category": "product_version", "name": "ansible-doc-0:2.7.7+dfsg-1+deb10u2.all", "product": { "name": "ansible-doc-0:2.7.7+dfsg-1+deb10u2.all", "product_id": "ansible-doc-0:2.7.7+dfsg-1+deb10u2.all", "product_identification_helper": { "purl": "pkg:deb/debian/ansible-doc@2.7.7%2Bdfsg-1%2Bdeb10u2?arch=all" } } } ], "category": "architecture", "name": "all" } ], "category": "vendor", "name": "Software in the Public Interest, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "product": { "name": "ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "product_id": "ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "product_identification_helper": { "purl": "pkg:deb/tuxcare/ansible@2.7.7%2Bdfsg-1%2Bdeb10u2%2Btuxcare.els1?arch=all" } } }, { "category": "product_version", "name": "ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "product": { "name": "ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "product_id": "ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "product_identification_helper": { "purl": "pkg:deb/tuxcare/ansible-doc@2.7.7%2Bdfsg-1%2Bdeb10u2%2Btuxcare.els1?arch=all" } } } ], "category": "architecture", "name": "all" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all as a component of Debian 10", "product_id": "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all" }, "product_reference": "ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all as a component of Debian 10", "product_id": "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all" }, "product_reference": "ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.7.7+dfsg-1+deb10u2.all as a component of Debian 10", "product_id": "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2.all" }, "product_reference": "ansible-0:2.7.7+dfsg-1+deb10u2.all", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-doc-0:2.7.7+dfsg-1+deb10u2.all as a component of Debian 10", "product_id": "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2.all" }, "product_reference": "ansible-doc-0:2.7.7+dfsg-1+deb10u2.all", "relates_to_product_reference": "Debian-10" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-32982", "cwe": { "id": "CWE-311", "name": "Missing Encryption of Sensitive Data" }, "notes": [ { "category": "description", "text": "Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier stores extra variables unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2.all", "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2.all" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-32982" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3017", "url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3017" } ], "release_date": "2023-05-16T16:15:00Z", "remediations": [ { "category": "no_fix_planned", "date": "2026-06-19T08:28:59.353718Z", "details": "This issue only exposes “extra variables” stored in job config.xml to authenticated users who already have Item/Extended Read (a non-default permission) or direct filesystem access to the Jenkins controller—both of which are privileged, internal access paths rather than remote/unauthenticated vectors. It is a confidentiality-only exposure that does not affect the Jenkins Credentials store, code execution, integrity, or availability. Given the required permissions and limited blast radius to data intentionally embedded as extra variables in specific jobs, the practical risk in centrally managed enterprise Jenkins environments is low and can be safely deprioritized.", "product_ids": [ "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2.all", "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2.all" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2.all", "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2.all" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }