Zaoui Zakariae

**Name of the Vulnerable Software and Affected Versions:** Jenkins QMetry Test Management Plugin versions 1.13 and earlier **Description:** The Jenkins QMetry Test Management Plugin stores Qmetry Automation API Keys unencrypted in job `config.xml` files on the Jenkins controller. These keys are accessible to users with Item/Extended Read permission or file system access to the Jenkins controller. The job configuration form also does not mask these API keys. **Recommendations:** For versions prior to 1.13, ensure that access to the Jenkins controller file system and jobs with Item/Extended Read permission is restricted to authorized personnel only. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions:** Jenkins Testsigma Test Plan run Plugin versions 1.6 and earlier **Description:** The Jenkins Testsigma Test Plan run Plugin does not mask Testsigma API keys displayed on the job configuration form. This increases the potential for attackers to observe and capture these keys. The plugin stores these API keys in job `config.xml` files on the Jenkins controller, encrypted on disk, but they are not masked in the job configuration form in versions 1.6 and earlier. **Recommendations:** Versions prior to 1.6 are affected. At the moment, there is no information about a newer version that contains a fix for this vulnerability.

**Name of the Vulnerable Software and Affected Versions** Jenkins monitor-remote-job Plugin version 1.0 **Description** The issue allows passwords to be stored unencrypted in job config.xml files on the Jenkins controller. These passwords can be viewed by users with Extended Read permission or those who have access to the Jenkins controller file system. **Recommendations** For Jenkins monitor-remote-job Plugin version 1.0, consider restricting access to the Jenkins controller file system and limiting Extended Read permissions to minimize the risk of password exposure. As a temporary workaround, avoid storing sensitive passwords in job config.xml files until a secure storage method is implemented.

**Name of the Vulnerable Software and Affected Versions** Jenkins Stack Hammer Plugin versions 1.0.6 and earlier **Description** The issue concerns the storage of Stack Hammer API keys in an unencrypted manner within job config.xml files on the Jenkins controller. This allows users with Extended Read permission or access to the Jenkins controller file system to view these keys. **Recommendations** For Jenkins Stack Hammer Plugin versions 1.0.6 and earlier, consider restricting access to the Jenkins controller file system and limiting Extended Read permissions to minimize exposure of the unencrypted Stack Hammer API keys until a fix is available.