Jenkins Cadence vManager Plugin Stores Verisium Manager vAPI keys Unencrypted
Moderate severity
GitHub Reviewed
Published
Apr 2, 2025
to the GitHub Advisory Database
•
Updated Apr 2, 2025
Package
Affected versions
< 4.0.1
Patched versions
4.0.1
Description
Published by the National Vulnerability Database
Apr 2, 2025
Published to the GitHub Advisory Database
Apr 2, 2025
Reviewed
Apr 2, 2025
Last updated
Apr 2, 2025
Jenkins Cadence vManager Plugin 4.0.0-282.v5096a_c2db_275 and earlier stores Verisium Manager vAPI keys unencrypted in job
config.xmlfiles on the Jenkins controller as part of its configuration.These API keys can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.
Cadence vManager Plugin 4.0.1-286.v9e25a_740b_a_48 stores Verisium Manager vAPI keys encrypted once affected job configurations are saved again.
References