CVE-2023-30527 — Cleartext Storage of Sensitive Info in Project Jenkins Wso2 Oauth Plugin

CWE-312 — Cleartext Storage of Sensitive Info5 documents5 sources

Severity

4.3MEDIUMNVD

EPSS

0.3%

top 42.78%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Project Jenkins Wso2 Oauth Plugin Jenkins Wso2 Oauth

Timeline

PublishedApr 12

Description

Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages2 packages

▶CVEListV5jenkins_project/jenkins_wso2_oauth_plugin1.0

▶NVDjenkins/wso2_oauth1.0

🔴Vulnerability Details

CVEList

CVE-2023-30527: Jenkins WSO2 Oauth Plugin 1↗2023-04-12

▶

OSV

Jenkins WSO2 Oauth Plugin stores WSO2 Oauth client secret unencrypted in global config.xml file on Jenkins controller↗2023-04-12

▶

GHSA

Jenkins WSO2 Oauth Plugin stores WSO2 Oauth client secret unencrypted in global config.xml file on Jenkins controller↗2023-04-12

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2023-04-12↗2023-04-12

▶