Description

Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2022-10-19/#SECURITY-2846

http://www.openwall.com/lists/oss-security/2022/10/19/3

Related Vulnerabilities

CVE-2014-0230 Vulnerability in maven package org.apache.tomcat:catalina

CVE-2018-6874 Vulnerability in maven package org.webjars.npm:auth0-js

CVE-2020-8203 Vulnerability in npm package lodash

CVE-2020-11971 Vulnerability in maven package org.apache.camel:camel-spring

CVE-2015-1840 Vulnerability in npm package jquery-ujs

Severity

High

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Tags

Vendor Advisory Mailing List Third Party Advisory