CVE-2023-24440: 
Java vulnerability analysis and mitigation

JIRA Pipeline Steps Plugin 2.0.165.v8846cf59f3db and earlier stores the private key unencrypted in its global configuration file org.thoughtslive.jenkins.plugins.jira.JiraStepsConfig.xml on the Jenkins controller as part of its configuration. Additionally, the global configuration form does not mask the API key. The vulnerability was discovered in January 2023 and assigned CVE-2023-24440 with a Low severity (CVSS) rating (Jenkins Advisory).

The vulnerability consists of two main issues: First, the private key is stored unencrypted in the global configuration file (org.thoughtslive.jenkins.plugins.jira.JiraStepsConfig.xml) on the Jenkins controller. Second, the API key is not masked in the global configuration form, making it visible in the user interface. These issues are tracked as CVE-2023-24439 for the storage vulnerability and CVE-2023-24440 for the masking vulnerability (Jenkins Advisory).

The vulnerability allows users with access to the Jenkins controller file system to view the unencrypted private key. Additionally, the lack of masking in the configuration form increases the potential for attackers to observe and capture the API key through visual observation of the interface (Jenkins Advisory).

As of the advisory publication date, there was no fix available for this vulnerability. Users should restrict access to the Jenkins controller file system and the global configuration interface to trusted administrators only (Jenkins Advisory).