CVE-2023-30531

Description

Jenkins Consul KV Builder Plugin versions 2.0.13 and earlier do not mask the HashiCorp Consul ACL Token when displayed on the global configuration form. This means the token is shown in plaintext rather than being obscured (e.g., with asterisks), increasing the risk that an attacker who can view the configuration page might observe and capture the credential [1] [3].

Exploitation

An attacker with access to the Jenkins instance’s global configuration form—typically requiring at least Overall/Read permission—can view the Consul ACL Token in clear text. No special authentication beyond Jenkins credentials is needed to exploit this exposure, as the form displays the token directly without masking [1].

Impact

If an attacker captures the Consul ACL Token, they could use it to authenticate to HashiCorp Consul services with the privileges associated with that token. This could lead to unauthorized access to Consul-managed configuration data, service discovery, or health checking, depending on the token’s permissions [1].

Mitigation

The Jenkins Security Advisory 2023-04-12 lists this as an unresolved issue in the Consul KV Builder Plugin; no patched version has been released as of the advisory date. Administrators are advised to restrict access to the global configuration form and consider using Jenkins’ built-in credential binding features to manage sensitive tokens [1].