CVE-2023-30530

Vulnerability

Description Jenkins Consul KV Builder Plugin versions 2.0.13 and earlier store the HashiCorp Consul ACL Token in plaintext within the plugin's global configuration file on the Jenkins controller. The token is written without any encryption or obfuscation, making it directly readable from the file system [1][3].

Exploitation

An attacker who already has access to the Jenkins controller's file system—for example, through a compromised Jenkins user account with read permissions on the controller's files, or via another vulnerability that grants file system access—can retrieve the Consul ACL Token by reading the configuration file. No additional authentication or network access to Consul is required at this stage [1].

Impact

With the plaintext Consul ACL Token, an attacker can authenticate to the associated HashiCorp Consul cluster and perform actions permitted by the token's policy. This could lead to unauthorized access to Consul-managed services, configuration data, or service discovery information, depending on the token's privileges [1][3].

Mitigation

Status As of the Jenkins Security Advisory 2023-04-12, the Consul KV Builder Plugin is listed among plugins with unresolved security issues; no patched version has been released [1][2]. Users are advised to restrict file system access to the Jenkins controller, rotate any exposed tokens, and consider using alternative plugins that properly encrypt credentials [1].