Description

Jenkins WSO2 Oauth Plugin 1.0 and earlier does not mask the WSO2 Oauth client secret on the global configuration form, increasing the potential for attackers to observe and capture it.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/04/13/3

https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-2992

Related Vulnerabilities

CVE-2023-31101 Vulnerability in maven package org.apache.inlong:manager-web

CVE-2019-11819 Vulnerability in maven package org.opencms:org.opencms.workplace.tools.accounts

CVE-2020-14966 Vulnerability in maven package org.webjars.bower:jsrsasign

CVE-2021-39153 Vulnerability in maven package com.thoughtworks.xstream:xstream

CVE-2018-1000409 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

Severity

High

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory