[MAVEN:GHSA-Q9HM-HR89-HGM7] Jenkins WSO2 Oauth Plugin does not mask the WSO2 Oauth client secret on the global configuration form

Severity Low

Affected Packages 1

CVEs 1

Jenkins WSO2 Oauth Plugin 1.0 and earlier stores the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller as part of its configuration.

This client secret can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the WSO2 Oauth client secret, increasing the potential for attackers to observe and capture it.

Package	Affected Version
pkg:maven/org.jenkins-ci.plugins/wso2id-oauth	<= 1.0

ID

MAVEN:GHSA-Q9HM-HR89-HGM7

Severity

low

URL

https://github.com/advisories/GHSA-q9hm-hr89-hgm7

Published

2023-04-12T18:30:36
(17 months ago)

Modified

2023-04-21T16:24:32
(17 months ago)

Rights

Maven Security Team

Other Advisories

JENKINS:SECURITY-2992

Source	# ID	Name	URL
			https://nvd.nist.gov/vuln/detail/CVE-2023-30528
			https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-2992
			http://www.openwall.com/lists/oss-security/2023/04/13/3
			https://github.com/advisories/GHSA-q9hm-hr89-hgm7

Type	Package URL	Namespace	Name / Product	Version	Distribution / Platform	Arch	Patch / Fix
Affected	pkg:maven/org.jenkins-ci.plugins/wso2id-oauth	org.jenkins-ci.plugins	wso2id-oauth	<= 1.0

# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	Exploits	PoC	Pubblication Date	Modification Date
# CVE	Description	CVSS	EPSS	EPSS Trend (30 days)	Affected Products	Weaknesses	Security Advisories	PoC	Pubblication Date	Modification Date