PT-2023-20611 · Jenkins · Credentials Plugin+2
Kevin Guerroudj
·
Published
2023-05-16
·
Updated
2023-05-25
·
CVE-2023-2632
CVSS v3.1
4.3
Medium
| Vector | AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Jenkins Code Dx Plugin versions 3.1.0 and earlier
Description
The issue concerns the storage of Code Dx server API keys in an unencrypted manner in job config.xml files on the Jenkins controller. These keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Furthermore, the job configuration form does not mask these API keys, increasing the potential for them to be observed and captured by attackers.
Recommendations
For Jenkins Code Dx Plugin versions 3.1.0 and earlier, reconfigure affected jobs to use the Credentials Plugin integration, as provided in version 4.0.0, which no longer stores API keys directly. As a temporary workaround, consider restricting access to the Jenkins controller file system and limiting Item/Extended Read permission to minimize the risk of API key exposure.
Fix
Insufficiently Protected Credentials
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Credentials Plugin
Jenkins
Jenkins Code Dx Plugin