CVE-2023-33001: 
Java vulnerability analysis and mitigation

Jenkins HashiCorp Vault Plugin version 360.v0a_1c04cf807d and earlier contains a security vulnerability (CVE-2023-33001) related to improper credential masking in build logs. The vulnerability was disclosed on May 16, 2023, affecting the HashiCorp Vault Plugin for Jenkins (Jenkins Advisory).

The vulnerability occurs when credentials are printed in build logs from Pipeline steps like 'sh' and 'bat' under specific conditions: 1) The credentials are printed in build steps executing on an agent (typically inside a node block), and 2) Push mode for durable task logging is enabled. Push mode can be enabled either through the Java system property org.jenkinsci.plugins.workflow.steps.durable_task.DurableTaskStep.USE_WATCHING or is automatically enabled by certain plugins like OpenTelemetry and Pipeline Logging over CloudWatch. The vulnerability has been assigned a Medium severity rating (Jenkins Advisory).

When the vulnerability is exploited, credentials that should be masked (replaced with asterisks) in the build log are displayed in plain text. This could lead to the exposure of sensitive credentials to unauthorized users who have access to the build logs (Jenkins Advisory).

As of the advisory publication, there was no direct fix available for the HashiCorp Vault Plugin. However, a temporary workaround exists through an improvement in Credentials Binding 523.525.vb_72269281873, which implements build log masking for affected plugins. This workaround is considered temporary and potentially incomplete, and it is recommended that affected plugins be updated when a fix becomes available (Jenkins Advisory).