CVE-2023-30527

Name of the Vulnerable Software and Affected Versions Jenkins WSO2 Oauth Plugin versions 1.0 and earlier

Description The issue concerns the storage of the WSO2 Oauth client secret in an unencrypted form within the global config.xml file on the Jenkins controller. This file can be accessed by users with permissions to the Jenkins controller file system, potentially allowing them to view the client secret. Furthermore, the global configuration form fails to mask the WSO2 Oauth client secret, increasing the risk of it being observed and captured by attackers.

Recommendations For Jenkins WSO2 Oauth Plugin versions 1.0 and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of the client secret being viewed. As a temporary workaround, manually mask the WSO2 Oauth client secret in the global configuration form until a fix is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.