Description

Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Remediation

References

https://www.jenkins.io/security/advisory/2023-05-16/#SECURITY-3146

Related Vulnerabilities

CVE-2020-2199 Vulnerability in maven package org.jenkins-ci.plugins:subversion

CVE-2018-8006 Vulnerability in maven package org.apache.activemq:activemq-web-console

CVE-2023-24444 Vulnerability in maven package org.jenkins-ci.plugins:openid

CVE-2022-28731 Vulnerability in maven package org.apache.jspwiki:jspwiki-main

CVE-2020-16013 Vulnerability in npm package electron

Severity

Medium

Classification

CWE-522 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Tags

Vendor Advisory