CVE-2023-30528 – org.jenkins-ci.plugins:wso2id-oauth

Package

Manager: maven
Name: org.jenkins-ci.plugins:wso2id-oauth
Vulnerable Version: >=0 <=1.0

Severity

Level: Low

CVSS v3.1: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

CVSS v4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

EPSS: 0.00029 pctl0.06603

Details

Jenkins WSO2 Oauth Plugin does not mask the WSO2 Oauth client secret on the global configuration form Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller as part of its configuration. This client secret can be viewed by users with access to the Jenkins controller file system. Additionally, the global configuration form does not mask the WSO2 Oauth client secret, increasing the potential for attackers to observe and capture it.

Metadata

Created: 2023-04-12T18:30:36Z
Modified: 2023-04-12T22:19:08Z
Source: https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2023/04/GHSA-q9hm-hr89-hgm7/GHSA-q9hm-hr89-hgm7.json
CWE IDs: ["CWE-312"]
Alternative ID: GHSA-q9hm-hr89-hgm7
Finding: F020
Auto approve: 1