CVE-2023-2633

Name of the Vulnerable Software and Affected Versions Jenkins Code Dx Plugin versions 3.1.0 and earlier

Description The issue concerns the storage and display of Code Dx server API keys. In affected versions, these keys are stored unencrypted in job config.xml files on the Jenkins controller and can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system. Furthermore, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.

Recommendations For Jenkins Code Dx Plugin versions 3.1.0 and earlier, reconfigure affected jobs to use the Credentials Plugin integration available in version 4.0.0, which no longer stores API keys directly. As a temporary workaround, consider restricting access to the Jenkins controller file system and limiting Item/Extended Read permission to minimize the risk of API key exposure.