Description

Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3146

Related Vulnerabilities

CVE-2014-0072 Vulnerability in npm package cordova-plugin-file-transfer

CVE-2022-28732 Vulnerability in maven package org.apache.jspwiki:jspwiki-war

CVE-2015-2156 Vulnerability in maven package io.netty:netty

CVE-2016-4055 Vulnerability in maven package org.fujion.webjars:moment

CVE-2022-36911 Vulnerability in maven package org.jenkins-ci.plugins:openstack-heat

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory