Unencrypted Secret Storage in Jenkins WSO2 Oauth Plugin by Jenkins
CVE-2023-30527

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins WSO2 Oauth Plugin
Vendor: CVE Published:; 12 April 2023

Summary

The Jenkins WSO2 Oauth Plugin, when configured with versions 1.0 and earlier, poses a significant security risk as it stores the WSO2 Oauth client secret in an unencrypted format in the global config.xml file. This file resides on the Jenkins controller, making the sensitive information accessible to any user who has access to this file system. This vulnerability underscores the importance of secure handling and storage of credentials within applications, as unauthorized users may exploit this weakness to gain access to critical components of the system.

Affected Version(s)

Jenkins WSO2 Oauth Plugin 0 <= 1.0

References

https://www.jenkins.io/security/advisory/2023-04-12/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/04/13/3

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 12, 2023
Vulnerability Reserved
Apr 12, 2023