Jenkins IBM Cloud DevOps Plugin Unencrypted Token Storage Vulnerability

Vulnerability

A vulnerability exists in the IBM Cloud DevOps Plugin for Jenkins, specifically in versions through 2.0.16. The plugin stores SonarQube authentication tokens in plain text within job config.xml files on the Jenkins controller. This unencrypted data can be accessed by users with Item/Extended Read permission or those who have access to the Jenkins controller file system.

Impact

The vulnerability allows for unauthorized access to SonarQube authentication tokens, which could be misused to interact with SonarQube services or APIs on behalf of the user.

Added: Jul 9, 2025, 4:53 PM

Updated: Jul 9, 2025, 4:53 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

2.5

exploitability

5.2

remediation

0.0

relevance

0.2

threat

0.0

urgency

2.9

incentive

1.7

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jenkins IBM Cloud DevOps Plugin Unencrypted Token Storage Vulnerability

Vulnerability

Impact

Affected Products

Jenkins IBM Cloud DevOps Plugin

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating