Jenkins Consul KV Builder Plugin 2.0.13 and earlier stores the HashiCorp Consul ACL Token unencrypted in its global configuration file `org.jenkinsci.plugins.consulkv.GlobalConsulConfig.xml` on the Jenkins controller as part of its configuration.

This token can be viewed by users with access to the Jenkins controller file system.

Additionally, the global configuration form does not mask the token, increasing the potential for attackers to observe and capture it.

Affected Packages

Maven org.jenkins-ci.plugins:consul-kv-builder

Affected versions: 0 (last affected: 2.0.13)

Related CVEs

CVE-2023-30530

Key Information

GHSA ID

GHSA-96c7-fqxv-rmv7

Published

April 12, 2023 6:30 PM

Last Modified

April 12, 2023 10:19 PM

CVSS Score

5.0 /10

Primary Ecosystem

Maven

Primary Package

org.jenkins-ci.plugins:consul-kv-builder

GitHub Reviewed

✓ Yes

Dataset

Last updated: August 25, 2025 6:33 AM

Data from GitHub Advisory Database. This information is provided for research and educational purposes.