Unencrypted API Key Exposure in Jenkins Katalon Plugin by Jenkins
CVE-2022-43419

6.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Katalon Plugin
Vendor: CVE Published:; 19 October 2022

Summary

The Jenkins Katalon Plugin before version 1.0.33 contains a vulnerability that allows sensitive API keys to be stored in an unencrypted format within the job config.xml files on the Jenkins controller. This poses a risk as users with Extended Read permissions or access to the file system can potentially view these sensitive details, leading to unauthorized access to external applications and services. It is crucial for users of the Katalon Plugin to upgrade to the latest version to mitigate this risk.

Affected Version(s)

Jenkins Katalon Plugin <= 1.0.32

References

https://www.jenkins.io/security/advisory/2022-10-19/#SECU...

http://www.openwall.com/lists/oss-security/2022/10/19/3

mailing-list

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Oct 19, 2022
Vulnerability Reserved
Oct 18, 2022