CVE-2023-30530

Name of the Vulnerable Software and Affected Versions Jenkins Consul KV Builder Plugin versions 2.0.13 and earlier

Description The issue concerns the storage of the HashiCorp Consul ACL Token in the global configuration file on the Jenkins controller. This token is stored unencrypted and can be viewed by users with access to the Jenkins controller file system. The global configuration form does not mask the token, increasing the potential for attackers to observe and capture it. The file in question is org.jenkinsci.plugins.consulkv.GlobalConsulConfig.xml.

Recommendations For Jenkins Consul KV Builder Plugin versions 2.0.13 and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of the HashiCorp Consul ACL Token being viewed by unauthorized users. As a temporary workaround, limit access to the global configuration form to prevent the token from being observed and captured. At the moment, there is no information about a newer version that contains a fix for this vulnerability.