4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-2632

GHSA ID

GHSA-gpc2-f62m-c6h6

EPSS Score

0.53121%

CWE

CWE-256

Published

5/16/2023

Updated

1/4/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-2632

CVE-2023-2632: Jenkins Code Dx Plugin stores API keys in plain text

Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.

Code Dx Plugin 4.0.0 no longer stores the API keys directly, instead accessing them through its newly added Credentials Plugin integration. Affected jobs need to be reconfigured.

(GitHub Advisory)

4.3

CVSS Score

3.1

Basic Information

CVE ID

CVE-2023-2632

GHSA ID

GHSA-gpc2-f62m-c6h6

EPSS Score

0.53121%

CWE

CWE-256

Published

5/16/2023

Updated

1/4/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:codedx	maven	< 4.0.0	4.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from three key aspects: 1) The getKey() method directly returns unencrypted API keys stored in job configs. 2) The doCheckKey validation method handles plaintext credentials without masking. 3) The Jelly UI configuration uses a textbox instead of credentials selector. The commit diff shows replacement of direct key storage with Credentials Plugin integration (keyCredentialId), removal of plaintext validation, and UI changes to use credential selectors, confirming these were the vulnerable components.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *o** *x Plu*in *.*.* *n* **rli*r stor*s *o** *x s*rv*r *PI k*ys un*n*rypt** in jo* `*on*i*.xml` *il*s on t** J*nkins *ontroll*r *s p*rt o* its *on*i*ur*tion. T**s* *PI k*ys **n ** vi*w** *y us*rs wit* It*m/*xt*n*** R*** p*rmission or ****ss

Reasoning

T** vuln*r**ility st*ms *rom t*r** k*y *sp**ts: *) T** `**tK*y()` m*t*o* *ir**tly r*turns un*n*rypt** *PI k*ys stor** in jo* `*on*i*s`. *) T** `*o****kK*y` v*li**tion m*t*o* **n*l*s pl*int*xt *r***nti*ls wit*out m*skin*. *) T** J*lly UI `*on*i*ur*tio

4.3

Basic Information

Concerned about an active attack path?

CVE-2023-2632: Jenkins Code Dx Plugin stores API keys in plain text

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI