{ "document": { "aggregate_severity": { "text": "Medium" }, "category": "csaf_vex", "csaf_version": "2.0", "distribution": { "text": "TuxCare License Agreement", "tlp": { "label": "WHITE", "url": "https://www.first.org/tlp/" } }, "lang": "en", "notes": [ { "category": "legal_disclaimer", "text": "This content is licensed under the Creative Commons Attribution 4.0 International License (https://creativecommons.org/licenses/by/4.0/). If you distribute this content, or a modified version of it, you must provide attribution to Cloud Linux Inc. and provide a link to the original.", "title": "Terms of Use" } ], "publisher": { "category": "vendor", "contact_details": "https://tuxcare.com/contact/", "name": "TuxCare", "namespace": "https://tuxcare.com/" }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://security.tuxcare.com/csaf/v2/els_os/debian10els/vex/2023/cve-2023-32983-els_os-debian10els.json" } ], "tracking": { "current_release_date": "2026-06-18T16:39:04Z", "generator": { "date": "2026-06-19T11:04:14Z", "engine": { "name": "pyCSAF" } }, "id": "CVE-2023-32983-ELS_OS-DEBIAN10ELS", "initial_release_date": "2023-05-16T16:15:00Z", "revision_history": [ { "date": "2023-05-16T16:15:00Z", "number": "1", "summary": "Initial version" }, { "date": "2026-06-18T16:39:04Z", "number": "2", "summary": "Official Publication" } ], "status": "final", "version": "2" }, "title": "Security update on CVE-2023-32983" }, "product_tree": { "branches": [ { "branches": [ { "branches": [ { "category": "product_name", "name": "Debian 10", "product": { "name": "Debian 10", "product_id": "Debian-10", "product_identification_helper": { "cpe": "cpe:2.3:o:debian:debian_linux:10:*:*:*:*:*:*:*" } } } ], "category": "product_family", "name": "Debian" }, { "branches": [ { "category": "product_version", "name": "ansible-0:2.7.7+dfsg-1+deb10u2.all", "product": { "name": "ansible-0:2.7.7+dfsg-1+deb10u2.all", "product_id": "ansible-0:2.7.7+dfsg-1+deb10u2.all", "product_identification_helper": { "purl": "pkg:deb/debian/ansible@2.7.7%2Bdfsg-1%2Bdeb10u2?arch=all" } } }, { "category": "product_version", "name": "ansible-doc-0:2.7.7+dfsg-1+deb10u2.all", "product": { "name": "ansible-doc-0:2.7.7+dfsg-1+deb10u2.all", "product_id": "ansible-doc-0:2.7.7+dfsg-1+deb10u2.all", "product_identification_helper": { "purl": "pkg:deb/debian/ansible-doc@2.7.7%2Bdfsg-1%2Bdeb10u2?arch=all" } } } ], "category": "architecture", "name": "all" } ], "category": "vendor", "name": "Software in the Public Interest, Inc." }, { "branches": [ { "branches": [ { "category": "product_version", "name": "ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "product": { "name": "ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "product_id": "ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "product_identification_helper": { "purl": "pkg:deb/tuxcare/ansible@2.7.7%2Bdfsg-1%2Bdeb10u2%2Btuxcare.els1?arch=all" } } }, { "category": "product_version", "name": "ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "product": { "name": "ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "product_id": "ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "product_identification_helper": { "purl": "pkg:deb/tuxcare/ansible-doc@2.7.7%2Bdfsg-1%2Bdeb10u2%2Btuxcare.els1?arch=all" } } } ], "category": "architecture", "name": "all" } ], "category": "vendor", "name": "TuxCare" } ], "relationships": [ { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all as a component of Debian 10", "product_id": "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all" }, "product_reference": "ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all as a component of Debian 10", "product_id": "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all" }, "product_reference": "ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-0:2.7.7+dfsg-1+deb10u2.all as a component of Debian 10", "product_id": "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2.all" }, "product_reference": "ansible-0:2.7.7+dfsg-1+deb10u2.all", "relates_to_product_reference": "Debian-10" }, { "category": "default_component_of", "full_product_name": { "name": "ansible-doc-0:2.7.7+dfsg-1+deb10u2.all as a component of Debian 10", "product_id": "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2.all" }, "product_reference": "ansible-doc-0:2.7.7+dfsg-1+deb10u2.all", "relates_to_product_reference": "Debian-10" } ] }, "vulnerabilities": [ { "cve": "CVE-2023-32983", "cwe": { "id": "CWE-312", "name": "Cleartext Storage of Sensitive Information" }, "notes": [ { "category": "description", "text": "Jenkins Ansible Plugin 204.v8191fd551eb_f and earlier does not mask extra variables displayed on the configuration form, increasing the potential for attackers to observe and capture them.", "title": "Vulnerability description" }, { "category": "general", "text": "The CVSS score(s) listed for this vulnerability do not reflect the associated product's status, and are included for informational purposes to better understand the severity of this vulnerability.", "title": "CVSS score applicability" } ], "product_status": { "known_affected": [ "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2.all", "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2.all" ] }, "references": [ { "category": "self", "summary": "Canonical URL", "url": "https://cve.tuxcare.com/els/cve/CVE-2023-32983" }, { "category": "external", "summary": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3017", "url": "https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3017" } ], "release_date": "2023-05-16T16:15:00Z", "remediations": [ { "category": "no_fix_planned", "date": "2026-06-19T08:29:00.248298Z", "details": "This issue only exposes values in the Jenkins job configuration form: an attacker must already be able to view that page (e.g., via job configuration/extended read access or direct observation) to see the unmasked “extra variables,” so it does not create new access paths. It has no integrity or availability impact and does not enable code execution, limiting consequence to low‑scope confidentiality exposure of whatever is manually entered in those fields. In centrally managed server/VM environments where configuration UI access is restricted to authorized operators, practical exploitability is low and this CVE can be safely deprioritized.", "product_ids": [ "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2.all", "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2.all" ] } ], "scores": [ { "cvss_v3": { "attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1" }, "products": [ "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "Debian-10:ansible-0:2.7.7+dfsg-1+deb10u2.all", "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2+tuxcare.els1.all", "Debian-10:ansible-doc-0:2.7.7+dfsg-1+deb10u2.all" ] } ], "threats": [ { "category": "impact", "details": "Moderate" } ] } ] }