Jenkins AsakusaSatellite Plugin API Key Masking Vulnerability

Vulnerability

A vulnerability exists in the Jenkins AsakusaSatellite Plugin in versions through 0.1.1, where the plugin fails to mask AsakusaSatellite API keys in the job configuration form. This oversight increases the risk of exposure, allowing potential attackers to observe and capture the API keys. Additionally, the plugin stores these keys unencrypted in job configuration files on the Jenkins controller, where they can be accessed by users with Item/Extended Read permission or through the Jenkins controller file system.

Impact

The vulnerability allows for the unmasked display and unencrypted storage of AsakusaSatellite API keys, which can be viewed by users with Item/Extended Read permission or access to the Jenkins controller file system.

Added: Sep 1, 2025, 7:22 PM

Updated: Sep 1, 2025, 7:22 PM

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

3.1

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.0

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jenkins AsakusaSatellite Plugin API Key Masking Vulnerability

Vulnerability

Impact

Affected Products

Jenkins AsakusaSatellite Plugin

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating