CVE-2023-2632

CWE-256 CWE-522 — Insufficiently Protected Credentials CWE-770 — Allocation without Limits8 documents7 sources

Severity

4.3MEDIUM

EPSS

0.7%

top 26.98%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Jenkins Jenkins Code DX Plugin Jenkins Code DX

Timeline

PublishedMay 16

Latest updateDec 30

Description

Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller where they can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:NExploitability: 2.8 | Impact: 1.4

Affected Packages3 packages

▶Mavenorg.jenkins-ci.plugins:codedx< 4.0.0

▶CVEListV5jenkins/jenkins_code_dx_plugin3.1.0

▶NVDjenkins/code_dx3.1.0

🔴Vulnerability Details

OSV

exfat: use kvmalloc_array/kvfree instead of kmalloc_array/kfree↗2025-12-30

▶

GHSA

Jenkins Code Dx Plugin stores API keys in plain text↗2023-05-16

▶

OSV

Jenkins Code Dx Plugin stores API keys in plain text↗2023-05-16

▶

CVEList

API keys stored and displayed in plain text by Code Dx Plugin↗2023-05-16

▶

📋Vendor Advisories

Jenkins

Jenkins Security Advisory 2023-05-16↗2023-05-16

▶