Description

Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3146

Related Vulnerabilities

CVE-2023-30542 Vulnerability in npm package @openzeppelin/contracts

CVE-2017-15703 Vulnerability in maven package org.apache.nifi:nifi-authorizer

CVE-2016-2171 Vulnerability in maven package org.apache.portals.jetspeed-2:jetspeed-security

CVE-2015-7499 Vulnerability in npm package libxmljs

CVE-2018-6341 Vulnerability in maven package org.webjars.bowergithub.vuejs:vue

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory