-
CVSS Score
-Basic Information
CVE ID
-
GHSA ID
-
EPSS Score
-
CWE
-
Published
-
Updated
-
KEV Status
-
Technology
-
Technical Details
Vulnerability Intelligence
Miggo AI
Miggo AIMiggo AI| Package Name | Ecosystem | Vulnerable Versions | First Patched Version |
|---|---|---|---|
| io.jenkins.plugins:testsigma | maven | <= 1.6 |
JavaJavaMiggo AIRoot Cause AnalysisThe vulnerability lies in the Jenkins Testsigma Test Plan run Plugin's job configuration UI. The plugin fails to properly mask the Testsigma API key, which is a secret credential. This is due to the use of a standard text input field (<f:textbox />) instead of a password field (<f:password />) in the config.jelly file for the apiKey field. As a result, the API key is displayed in plain text in the job configuration page, making it accessible to any user with permission to view the job configuration. The root cause is a failure to follow secure development practices for handling secrets in Jenkins plugins. The identified vulnerable functions are the constructor of the TestsigmaTestPlan class, which receives the unmasked API key from the form, and the perform method, which uses this key to interact with the Testsigma API. An attacker with access to the Jenkins UI could potentially steal the API key and gain unauthorized access to the Testsigma platform.
KEV Misses 88% of Exploited CVEs- Get the report