CVE-2023-33000

CVE-2023-33000 affects the Jenkins NS-ND Integration Performance Publisher Plugin versions 4.8.0.149 and earlier. The plugin fails to mask credentials when displaying them on the configuration form, meaning that sensitive values such as passwords or API tokens are shown in plaintext rather than being obfuscated [1][2].

To exploit this vulnerability, an attacker must have the ability to view the plugin's configuration form. This typically requires at least read access to the Jenkins job or system configuration where the plugin is used. The lack of credential masking increases the risk of credential exposure through shoulder surfing, screen captures, or logging of configuration pages.

The impact is the potential disclosure of credentials used by the plugin to integrate with NS-ND systems. An attacker who obtains these credentials could use them to access external systems or perform actions with the privileges associated with the compromised account.

The Jenkins security advisory recommends updating to a version that properly masks credentials. Users should upgrade to the latest available version of the NS-ND Integration Performance Publisher Plugin to mitigate this vulnerability [1].