Unencrypted Storage Vulnerability in Jenkins Consul KV Builder Plugin by Jenkins
CVE-2023-30530

4.3MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Consul KV Builder Plugin
Vendor: CVE Published:; 12 April 2023

Summary

The Jenkins Consul KV Builder Plugin versions 2.0.13 and earlier contain a serious vulnerability where the HashiCorp Consul ACL Token is stored unencrypted in the global configuration file on the Jenkins controller. This allows unauthorized users with file system access to view sensitive information, compromising the security integrity of the Jenkins environment. Proper security measures must be implemented to protect sensitive data and prevent unauthorized access.

Affected Version(s)

Jenkins Consul KV Builder Plugin 0 <= 2.0.13

References

https://www.jenkins.io/security/advisory/2023-04-12/#SECU...

vendor-advisory

http://www.openwall.com/lists/oss-security/2023/04/13/3

CVSS V3.1

Score:

4.3

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

None

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Apr 12, 2023
Vulnerability Reserved
Apr 12, 2023