CVE-2023-30528

Name of the Vulnerable Software and Affected Versions Jenkins WSO2 Oauth Plugin versions 1.0 and earlier

Description The issue concerns the storage and display of the WSO2 Oauth client secret in the Jenkins WSO2 Oauth Plugin. Specifically, the client secret is stored unencrypted in the global config.xml file on the Jenkins controller and can be viewed by users with access to the file system. Furthermore, the global configuration form does not mask the WSO2 Oauth client secret, increasing the potential for attackers to observe and capture it.

Recommendations For Jenkins WSO2 Oauth Plugin versions 1.0 and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of the client secret being viewed by unauthorized users. As a temporary workaround, consider manually masking the WSO2 Oauth client secret in the global configuration form until a patch is available. At the moment, there is no information about a newer version that contains a fix for this vulnerability.