CVE-2022-43419

CWE-522Insufficiently Protected CredentialsCWE-2565 documents5 sources
Severity
6.5MEDIUM
EPSS
0.8%
top 26.81%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
2
Jenkins KatalonJenkins Project Jenkins Katalon Plugin
Timeline
PublishedOct 19

Description

Jenkins Katalon Plugin 1.0.32 and earlier stores API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Extended Read permission, or access to the Jenkins controller file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:NExploitability: 2.8 | Impact: 3.6

Affected Packages3 packages

CVEListV5jenkins_project/jenkins_katalon_pluginunspecified1.0.32
NVDjenkins/katalon< 1.0.33

🔴Vulnerability Details

3
GHSA
API keys stored in plain text by Jenkins Katalon Plugin2022-10-19
OSV
API keys stored in plain text by Jenkins Katalon Plugin2022-10-19
CVEList
CVE-2022-43419: Jenkins Katalon Plugin 12022-10-19

📋Vendor Advisories

1
Jenkins
Jenkins Security Advisory 2022-10-192022-10-19
CVE-2022-43419 (MEDIUM CVSS 6.5) | Jenkins Katalon Plugin 1.0.32 and e | cvebase.io