Description

Jenkins Consul KV Builder Plugin 2.0.13 and earlier does not mask the HashiCorp Consul ACL Token on the global configuration form, increasing the potential for attackers to observe and capture it.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/04/13/3

https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-2944

Related Vulnerabilities

CVE-2023-31007 Vulnerability in maven package org.apache.pulsar:pulsar-broker

CVE-2021-34428 Vulnerability in maven package org.eclipse.jetty:jetty-server

CVE-2022-22984 Vulnerability in npm package @snyk/snyk-hex-plugin

CVE-2022-23708 Vulnerability in maven package org.elasticsearch:elasticsearch

CVE-2023-30527 Vulnerability in maven package org.jenkins-ci.plugins:wso2id-oauth

Severity

High

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory