CVE-2023-30523: Jenkins Report Portal Plugin allows users with Item/Extended Read permission to view tokens on Jenkins controller

April 12, 2023

Jenkins Report Portal Plugin 0.5 and earlier stores ReportPortal access tokens unencrypted in job config.xml files on the Jenkins controller as part of its configuration where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

References

github.com/advisories/GHSA-qgw9-vgrf-h723
nvd.nist.gov/vuln/detail/CVE-2023-30523
www.jenkins.io/security/advisory/2023-04-12/

Detect and mitigate CVE-2023-30523 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →