CVE-2023-30531

Name of the Vulnerable Software and Affected Versions Jenkins Consul KV Builder Plugin versions 2.0.13 and earlier

Description The issue concerns the storage and display of the HashiCorp Consul ACL Token in the Jenkins Consul KV Builder Plugin. Specifically, the token is stored unencrypted in the global configuration file org.jenkinsci.plugins.consulkv.GlobalConsulConfig.xml on the Jenkins controller. This file can be accessed by users with access to the Jenkins controller file system, potentially allowing them to view the token. Furthermore, the global configuration form does not mask the token, increasing the risk of it being observed and captured by attackers.

Recommendations For Jenkins Consul KV Builder Plugin versions 2.0.13 and earlier, consider restricting access to the Jenkins controller file system to minimize the risk of the HashiCorp Consul ACL Token being viewed by unauthorized users. As a temporary workaround, limit access to the global configuration form to prevent attackers from observing and capturing the token. At the moment, there is no information about a newer version that contains a fix for this vulnerability.