Bram Mertens

**Name of the Vulnerable Software and Affected Versions** Jenkins S3 Explorer Plugin versions 1.0.8 and earlier **Description** The issue concerns the Jenkins S3 Explorer Plugin, where the AWS SECRET ACCESS KEY form field is not masked, increasing the potential for attackers to observe and capture it. This secret is stored encrypted on disk in the `s3explorer.xml` file on the Jenkins controller as part of its configuration. However, in versions 1.0.8 and earlier, the global configuration form does not mask the `AWS SECRET ACCESS KEY` form field. **Recommendations** For Jenkins S3 Explorer Plugin versions 1.0.8 and earlier, consider disabling the plugin until a patch is available to prevent potential attackers from observing and capturing the `AWS SECRET ACCESS KEY`. Restrict access to the global configuration form to minimize the risk of exploitation. Avoid using the `AWS SECRET ACCESS KEY` form field in the affected plugin until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.