Unsecured API Key Storage in Jenkins AsakusaSatellite Plugin by CloudBees
CVE-2025-31727

5.5MEDIUM

Key Information:

Vendor: Jenkins
Status: Jenkins Asakusasatellite Plugin
Vendor: CVE Published:; 2 April 2025

Summary

The Jenkins AsakusaSatellite Plugin prior to version 0.1.1 contains a vulnerability that leads to the insecure storage of API keys. These keys are saved in unencrypted form within the job config.xml files on the Jenkins controller. Consequently, users with Item/Extended Read permissions or those with access to the Jenkins controller file system can potentially view these sensitive API keys, risking unauthorized access to associated resources.

Affected Version(s)

Jenkins AsakusaSatellite Plugin 0 <= 0.1.1

References

https://www.jenkins.io/security/advisory/2025-04-02/#SECU...

vendor-advisory

CVSS V3.1

Score:

5.5

Severity:

MEDIUM

Confidentiality:

Low

Integrity:

Low

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

Required

Scope:

Unchanged

Timeline

Vulnerability published
Apr 2, 2025
Vulnerability Reserved
Apr 1, 2025