Jenkins Statistics Gatherer Plugin AWS Secret Key Storage Vulnerability

Vulnerability

A vulnerability exists in the Jenkins Statistics Gatherer Plugin in versions through 2.0.3, where the AWS Secret Key is stored unencrypted in the global configuration file on the Jenkins controller. This key can be accessed by users with permission to read the Jenkins controller file system. Furthermore, the configuration form does not mask the key, increasing the risk of exposure.

Impact

The unencrypted AWS Secret Key can be viewed by users with access to the Jenkins controller file system.

Added: Jul 9, 2025, 5:13 PM

Updated: Jul 9, 2025, 5:13 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jenkins Statistics Gatherer Plugin AWS Secret Key Storage Vulnerability

Vulnerability

Impact

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating