CVE-2023-30527

2023-04-1218:15:11

CWE-312

[email protected]

web.nvd.nist.gov

jenkins

wso2

oauth

plugin

security

unencrypted

config file

vulnerability

4.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

4.5 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.6%

JSON

Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller where it can be viewed by users with access to the Jenkins controller file system.

Affected configurations

NVD

Node

jenkinswso2_oauthRange≤1.0jenkins

CPENameOperatorVersion
jenkins:wso2_oauthjenkins wso2 oauthle1.0

CPE	Name	Operator	Version
jenkins:wso2_oauth	jenkins wso2 oauth	le	1.0

CNA Affected

[
  {
    "defaultStatus": "unknown",
    "product": "Jenkins WSO2 Oauth Plugin",
    "vendor": "Jenkins Project",
    "versions": [
      {
        "lessThanOrEqual": "1.0",
        "status": "affected",
        "version": "0",
        "versionType": "maven"
      }
    ]
  }
]