Description

Jenkins Consul KV Builder Plugin 2.0.13 and earlier does not mask the HashiCorp Consul ACL Token on the global configuration form, increasing the potential for attackers to observe and capture it.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/04/13/3

https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-2944

Related Vulnerabilities

CVE-2022-23541 Vulnerability in maven package org.webjars.npm:jsonwebtoken

CVE-2023-22467 Vulnerability in maven package org.webjars.bowergithub.moment:luxon

CVE-2020-13921 Vulnerability in maven package org.apache.skywalking:storage-jdbc-hikaricp-plugin

CVE-2023-4316 Vulnerability in npm package zod

CVE-2023-5217 Vulnerability in npm package electron

Severity

High

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory