Description

Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3146

Related Vulnerabilities

CVE-2016-4977 Vulnerability in maven package org.springframework.security.oauth:spring-security-oauth2

CVE-2023-33000 Vulnerability in maven package io.jenkins.plugins:cavisson-ns-nd-integration

CVE-2021-22114 Vulnerability in maven package org.springframework.integration:spring-integration-zip

CVE-2021-21610 Vulnerability in maven package org.jenkins-ci.main:jenkins-core

CVE-2010-0684 Vulnerability in maven package org.apache.activemq:activemq-web

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory