Lucene search

GitHub Advisory DatabaseGHSA-Q9HM-HR89-HGM7

HistoryApr 12, 2023 - 6:30 p.m.

Jenkins WSO2 Oauth Plugin does not mask the WSO2 Oauth client secret on the global configuration form

2023-04-1218:30:36

CWE-312

GitHub Advisory Database

github.com

jenkins

wso2 oauth plugin

client secret

global configuration

unencrypted

attackers

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

45.5%

JSON

Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller as part of its configuration.

This client secret can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the WSO2 Oauth client secret, increasing the potential for attackers to observe and capture it.

Affected configurations

Vulners

Node

org.jenkins-ci.plugins\Matchwso2id-oauth

References

www.openwall.com/lists/oss-security/2023/04/13/3

github.com/advisories/GHSA-q9hm-hr89-hgm7

nvd.nist.gov/vuln/detail/CVE-2023-30528

www.jenkins.io/security/advisory/2023-04-12/#SECURITY-2992

CVSS3

6.5

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

LOW

User Interaction

NONE

Scope

UNCHANGED

Confidentiality Impact

HIGH

Integrity Impact

NONE

Availability Impact

NONE

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

EPSS

0.001

Percentile

45.5%

JSON

Related for GHSA-Q9HM-HR89-HGM7