CVE-2023-50776: 
Java vulnerability analysis and mitigation

CVE-2023-50776 affects the Jenkins PaaSLane Estimate Plugin versions 1.0.4 and earlier. The vulnerability was discovered and reported by Andrea Chiera from CloudBees, Inc. and was publicly disclosed on December 13, 2023. This security issue involves the insecure storage of authentication tokens in the Jenkins controller's job configuration files (Jenkins Advisory, OSS Security).

The vulnerability has been classified as Medium severity with a CVSS v3.1 base score of 4.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N). The technical issue stems from PaaSLane authentication tokens being stored unencrypted in job config.xml files on the Jenkins controller. These tokens are accessible to users with Item/Extended Read permission or those who have access to the Jenkins controller file system (NVD).

The vulnerability exposes sensitive authentication tokens to unauthorized access. Users with Item/Extended Read permission or access to the Jenkins controller file system can view these unencrypted tokens. Additionally, the job configuration form does not mask these tokens, increasing the potential for attackers to observe and capture them (Jenkins Advisory).

As of the advisory's publication date, there is no fix available for this vulnerability. The Jenkins security team has acknowledged the issue but has not released a patched version (Jenkins Advisory).