CVE-2023-30515: 
Java vulnerability analysis and mitigation

Jenkins Thycotic DevOps Secrets Vault Plugin version 1.0.0 contains a security vulnerability (CVE-2023-30515) that was disclosed on April 12, 2023. The vulnerability affects the plugin's credential masking functionality when used with Jenkins Pipeline steps (Jenkins Advisory, OSS Security).

The vulnerability occurs when the plugin fails to properly mask (replace with asterisks) credentials printed in the build log from Pipeline steps like 'sh' and 'bat' under specific conditions. This happens when credentials are printed in build steps executing on an agent (typically inside a 'node' block) and push mode for durable task logging is enabled. The push mode can be enabled either through the Java system property 'org.jenkinsci.plugins.workflow.steps.durabletask.DurableTaskStep.USEWATCHING' or automatically by certain plugins like OpenTelemetry and Pipeline Logging over CloudWatch (Jenkins Advisory).

The vulnerability could expose sensitive credentials in build logs, potentially allowing unauthorized access to protected resources. When credentials are not properly masked, they appear in plain text in the build logs, making them visible to anyone with access to these logs (Jenkins Advisory).

As of the advisory publication, there is no direct fix available for the Thycotic DevOps Secrets Vault Plugin 1.0.0. However, a temporary workaround is available through an improvement in Credentials Binding 523.525.vb_72269281873, which implements a mechanism that applies build log masking even in affected plugins. This workaround is considered temporary and potentially incomplete, and it is recommended to wait for an updated version of the plugin for a complete fix (Jenkins Advisory).