CVE-2023-24450

The Jenkins view-cloner Plugin is designed to copy and modify views and jobs in bulk. In versions 1.1 and earlier, the plugin stores passwords in plain text within job config.xml files on the Jenkins controller [1][2]. This means that any password used in job configurations is written to disk without encryption.

To exploit this vulnerability, an attacker needs either the Extended Read permission (a Jenkins permission that allows viewing job configurations) or direct access to the Jenkins controller's file system [2]. With these privileges, the attacker can read the config.xml files and extract any stored passwords.

The impact is severe: an attacker who obtains these passwords can use them to access other systems or escalate privileges within the Jenkins environment. Since passwords are stored in plain text, there is no need for decryption.

As of the latest advisory, no fixed version has been released for the view-cloner Plugin [1]. Users are advised to avoid storing passwords in job configurations if possible, or to restrict access to the controller file system and assign Extended Read permission only to trusted users. The plugin's GitHub repository shows no recent updates addressing this issue [3].