CVE-2023-30518: 
Java vulnerability analysis and mitigation

A missing permission check vulnerability was discovered in Jenkins Thycotic Secret Server Plugin versions 1.0.2 and earlier. The vulnerability was assigned CVE-2023-30518 and was disclosed on April 12, 2023. The affected component is the Delinea Secret Server Plugin (thycotic-secret-server) which is used in Jenkins installations (Jenkins Advisory, NVD).

The vulnerability stems from a missing permission check in an HTTP endpoint of the plugin. The issue has been assigned a CVSS v3.1 base score of 4.3 (Medium) with the vector string AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N. The vulnerability is classified as CWE-862: Missing Authorization (NVD).

This vulnerability allows attackers with Overall/Read permission to enumerate credentials IDs of credentials stored in Jenkins. The exposed credentials IDs could potentially be used as part of a broader attack to capture the actual credentials if combined with another vulnerability (Jenkins Advisory).

As of the advisory publication date, there is no fix available for this vulnerability in the Delinea Secret Server Plugin. Organizations using affected versions (1.0.2 and earlier) should assess their risk and consider implementing additional access controls or monitoring measures until a patch becomes available (Jenkins Advisory).

The vulnerability was discovered and reported by Daniel Beck from CloudBees, Inc. The large number of unfixed vulnerabilities in Jenkins plugins, including this one, has raised concerns in the security community about the security posture of Jenkins plugins (OSS Security).