[JENKINS:SECURITY-2944] Token stored and displayed in plain text by `consul-kv-builder`
Severity
Medium
Affected Packages
2
CVEs
2
consul-kv-builder
2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file org.jenkinsci.plugins.consulkv.GlobalConsulConfig.xml
on the Jenkins controller as part of its configuration.
This token can be viewed by users with access to the Jenkins controller file system.
Additionally, the global configuration form does not mask the token, increasing the potential for attackers to observe and capture it.
As of publication of this advisory, there is no fix.
Package | Affected Version |
---|---|
pkg:maven/org.jenkins-ci.plugins/consul-kv-builder | <= 2.0.13 |
pkg:github/jenkinsci/consul-kv-builder-plugin | <= 2.0.13 |
- ID
- JENKINS:SECURITY-2944
- Severity
- medium
- Published
-
2023-04-12T00:00:00
(17 months ago) - Modified
-
2023-04-12T00:00:00
(17 months ago) - Rights
- Jenkins Security Team
- Other Advisories
Source | # ID | Name | URL |
---|---|---|---|
Plugin repository | consul-kv-builder repository | https://github.com/jenkinsci/consul-kv-builder-plugin |
Type | Package URL | Namespace | Name / Product | Version | Distribution / Platform | Arch | Patch / Fix |
---|---|---|---|---|---|---|---|
Affected | pkg:maven/org.jenkins-ci.plugins/consul-kv-builder | org.jenkins-ci.plugins | consul-kv-builder | <= 2.0.13 | |||
Affected | pkg:github/jenkinsci/consul-kv-builder-plugin | jenkinsci | consul-kv-builder-plugin | <= 2.0.13 |
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | Exploits | PoC | Pubblication Date | Modification Date |
---|---|---|---|---|---|---|---|---|---|---|---|
# CVE | Description | CVSS | EPSS | EPSS Trend (30 days) | Affected Products | Weaknesses | Security Advisories | PoC | Pubblication Date | Modification Date |