Description

Jenkins Consul KV Builder Plugin 2.0.13 and earlier does not mask the HashiCorp Consul ACL Token on the global configuration form, increasing the potential for attackers to observe and capture it.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/04/13/3

https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-2944

Related Vulnerabilities

CVE-2022-36900 Vulnerability in maven package com.compuware.jenkins:compuware-zadviser-api

CVE-2019-19771 Vulnerability in npm package wallet-address-validtaor

CVE-2022-39198 Vulnerability in maven package com.alibaba:hessian-lite

CVE-2020-26237 Vulnerability in maven package org.webjars.npm:highlight.js

CVE-2019-1003041 Vulnerability in maven package org.jenkins-ci.plugins:groovy

Severity

High

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory