Description

Jenkins WSO2 Oauth Plugin 1.0 and earlier does not mask the WSO2 Oauth client secret on the global configuration form, increasing the potential for attackers to observe and capture it.

Remediation

References

http://www.openwall.com/lists/oss-security/2023/04/13/3

https://www.jenkins.io/security/advisory/2023-04-12/#SECURITY-2992

Related Vulnerabilities

CVE-2019-10785 Vulnerability in maven package org.webjars.bower:dojox

CVE-2019-17563 Vulnerability in maven package org.apache.tomcat.embed:tomcat-embed-core

CVE-2022-25647 Vulnerability in maven package com.google.code.gson:gson

CVE-2020-13951 Vulnerability in maven package org.apache.openmeetings:openmeetings-server

CVE-2020-6427 Vulnerability in maven package org.webjars.npm:electron

Severity

High

Classification

CWE-312 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Mailing List Third Party Advisory Vendor Advisory