Description

Jenkins WSO2 Oauth Plugin 1.0 and earlier does not mask the WSO2 Oauth client secret on the global configuration form, increasing the potential for attackers to observe and capture it.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/04/13/3

https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-2992

Related Vulnerabilities

CVE-2021-21277 Vulnerability in npm package angular-expressions

CVE-2022-21724 Vulnerability in maven package org.postgresql:postgresql

CVE-2019-10753 Vulnerability in maven package com.diffplug.spotless:spotless-eclipse-wtp

CVE-2022-28150 Vulnerability in maven package com.synopsys.jenkinsci:ownership

CVE-2019-19899 Vulnerability in maven package io.pebbletemplates:pebble

Severity

High

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory