CVE-2023-30530: 
Java vulnerability analysis and mitigation

CVE-2023-30530 affects the Jenkins Consul KV Builder Plugin versions 2.0.13 and earlier. The vulnerability was discovered and disclosed on April 12, 2023, and was reported by CC Bomber from Kitri BoB. This security issue involves the improper storage of sensitive authentication tokens in the Jenkins controller configuration (Jenkins Advisory, OSS Security).

The vulnerability is classified as Medium severity according to CVSS v3.1 with a base score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). The issue specifically involves the HashiCorp Consul ACL Token being stored unencrypted in the global configuration file 'org.jenkinsci.plugins.consulkv.GlobalConsulConfig.xml' on the Jenkins controller (Jenkins Advisory).

The vulnerability exposes sensitive authentication tokens to unauthorized access. Users with access to the Jenkins controller file system can view the unencrypted HashiCorp Consul ACL Token stored in the global configuration file. Additionally, the token is not masked in the configuration form, increasing the risk of unauthorized observation and capture (Jenkins Advisory).

As of the advisory's publication date (April 12, 2023), there is no fix available for this vulnerability in the Consul KV Builder Plugin. Organizations using affected versions should carefully restrict access to the Jenkins controller file system and monitor for unauthorized access attempts (Jenkins Advisory).

The security community has expressed concern about the large number of unfixed vulnerabilities in Jenkins plugins, with some suggesting this might be an argument against using Jenkins plugins in security-sensitive environments (OSS Security).