CVE-2023-30524

Name of the Vulnerable Software and Affected Versions Jenkins Report Portal Plugin versions 0.5 and earlier

Description The issue concerns the storage and display of ReportPortal access tokens. Specifically, the tokens are stored unencrypted in job config.xml files on the Jenkins controller and can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Furthermore, the configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them.

Recommendations For Jenkins Report Portal Plugin versions 0.5 and earlier, consider disabling the plugin until a patch is available to prevent the exposure of ReportPortal access tokens. Restrict access to the Jenkins controller file system and limit Item/Extended Read permission to minimize the risk of token capture. Avoid using the plugin's configuration form until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.