CVE-2023-2632

Name of the Vulnerable Software and Affected Versions Jenkins Code Dx Plugin versions 3.1.0 and earlier

Description The issue concerns the storage of Code Dx server API keys in an unencrypted manner in job config.xml files on the Jenkins controller. These keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Furthermore, the job configuration form does not mask these API keys, increasing the potential for them to be observed and captured by attackers.

Recommendations For Jenkins Code Dx Plugin versions 3.1.0 and earlier, reconfigure affected jobs to use the Credentials Plugin integration, as provided in version 4.0.0, which no longer stores API keys directly. As a temporary workaround, consider restricting access to the Jenkins controller file system and limiting Item/Extended Read permission to minimize the risk of API key exposure.