CVE-2023-30527: 
Java vulnerability analysis and mitigation

The WSO2 Oauth Plugin version 1.0 and earlier contains a security vulnerability identified as CVE-2023-30527. The vulnerability was discovered and disclosed on April 12, 2023, affecting the Jenkins WSO2 Oauth Plugin. This vulnerability is related to the insecure storage of sensitive information, specifically the WSO2 Oauth client secret (Jenkins Advisory, OSS Security).

The vulnerability stems from the plugin storing the WSO2 Oauth client secret unencrypted in the global config.xml file on the Jenkins controller as part of its configuration. The severity of this vulnerability is rated as Low according to the CVSS scoring system. The vulnerability is tracked under SECURITY-2992 and has two aspects: storage (CVE-2023-30527) and masking (CVE-2023-30528) (Jenkins Advisory).

Users with access to the Jenkins controller file system can view the client secret. The exposure of this secret could potentially allow unauthorized access to WSO2 OAuth-protected resources. Additionally, the global configuration form does not mask the WSO2 Oauth client secret, which increases the potential for attackers to observe and capture it during configuration (Jenkins Advisory).

As of the advisory publication on April 12, 2023, there is no fix available for this vulnerability in the WSO2 Oauth Plugin. Users should carefully restrict access to the Jenkins controller file system to minimize the risk of unauthorized access to the client secret (Jenkins Advisory).

The vulnerability was discovered and reported by Kevin Guerroudj from CloudBees, Inc. The Jenkins security team has classified this as a low-severity issue, and it was announced as part of a larger security advisory that covered multiple Jenkins plugins (Jenkins Advisory).