4.3

CVSS Score

Basic Information

CVE ID

CVE-2023-2633

GHSA ID

GHSA-352v-hhmh-2w8h

EPSS Score

CWE

CWE-256

Published

5/16/2023

Updated

1/4/2024

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2023-2633

CVE-2023-2633:
Jenkins Code Dx Plugin displays API keys in plain text

Jenkins Code Dx Plugin 3.1.0 and earlier stores Code Dx server API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration.

These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Additionally, the job configuration form does not mask these API keys, increasing the potential for attackers to observe and capture them.

Code Dx Plugin 4.0.0 no longer stores the API keys directly, instead accessing them through its newly added Credentials Plugin integration. Affected jobs need to be reconfigured.

(GitHub Advisory)

4.3

CVSS Score

Basic Information

CVE ID

CVE-2023-2633

GHSA ID

GHSA-352v-hhmh-2w8h

EPSS Score

CWE

CWE-256

Published

5/16/2023

Updated

1/4/2024

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.jenkins-ci.plugins:codedx	maven	< 4.0.0	4.0.0

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from plaintext storage and display of API keys in job configurations. Key evidence includes: 1) The constructor directly stores unencrypted 'key' parameter. 2) getKey() exposes the plaintext value. 3) perform() uses the raw key for API communication. 4) Project ID dropdown population (doFillProjectIdItems) required handling the plaintext key. The commit diff shows these were replaced with credential ID handling in v4.0.0, confirming these were the vulnerable points. The config.jelly's textbox (replaced with credentials selector) also contributed to exposure but is handled at the UI layer rather than code functions.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

J*nkins *o** *x Plu*in *.*.* *n* **rli*r stor*s *o** *x s*rv*r *PI k*ys un*n*rypt** in jo* `*on*i*.xml` *il*s on t** J*nkins *ontroll*r *s p*rt o* its *on*i*ur*tion. T**s* *PI k*ys **n ** vi*w** *y us*rs wit* It*m/*xt*n*** R*** p*rmission or ****ss

Reasoning

T** vuln*r**ility st*ms *rom pl*int*xt stor*** *n* *ispl*y o* *PI k*ys in jo* *on*i*ur*tions. K*y *vi**n** in*lu**s: *) T** *onstru*tor *ir**tly stor*s un*n*rypt** 'k*y' p*r*m*t*r. *) **tK*y() *xpos*s t** pl*int*xt v*lu*. *) p*r*orm() us*s t** r*w k*

4.3

Basic Information

Concerned about an active attack path?

CVE-2023-2633: Jenkins Code Dx Plugin displays API keys in plain text

4.3

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2023-2633:
Jenkins Code Dx Plugin displays API keys in plain text

Vulnerability Intelligence
Miggo AI