CVE-2023-30524

CVE-2023-30524 is a vulnerability in the Jenkins Report Portal Plugin, versions 0.5 and earlier, where the plugin fails to mask ReportPortal access tokens displayed on the configuration form [1][3]. This means the tokens are shown in plaintext rather than being obfuscated with asterisks or other masking techniques. The root cause is a missing credential masking implementation on the configuration UI, which is a common security oversight in Jenkins plugins [1].

To exploit this vulnerability, an attacker must have the ability to view the Jenkins configuration form for the Report Portal Plugin. This typically requires some level of access to the Jenkins instance, such as a user with sufficient permissions to view plugin configurations, or an attacker who has already gained limited access and can navigate the Jenkins web interface. There is no need for network position or authentication bypass; the exposure occurs directly on the legitimate configuration page [1][3].

The impact is that an attacker who can observe the configuration form can capture the plaintext access token. This token could then be used to authenticate to the associated ReportPortal service, potentially gaining unauthorized access to test reports and related data. The severity is considered medium, as it increases the risk of credential theft, though it requires prior access to Jenkins to exploit [1][3].

As of the advisory date (April 12, 2023), no fix was listed for this plugin, and it remains on the list of unresolved security issues in Jenkins plugins [1][2]. Users are advised to restrict access to Jenkins configuration pages, monitor for unauthorized access, and consider the use of environment variables or other credential management techniques to minimize exposure until a patch is released. The vulnerability is not currently listed on CISA's Known Exploited Vulnerabilities (KEV) catalog.