Jenkins LoadNinja Plugin Unencrypted API Key Storage Vulnerability
Vulnerability
A vulnerability exists in the LoadNinja Plugin for Jenkins, specifically in versions through 2.1, where LoadNinja API keys are stored unencrypted in job config.xml files on the Jenkins controller. This exposure allows users with Item/Extended Read permission or access to the Jenkins controller file system to view these API keys. Furthermore, the job configuration form does not mask the API keys, increasing the risk of unauthorized observation and capture.
Impact
The unencrypted storage of API keys in accessible job configuration files could lead to unauthorized access to LoadNinja accounts or services, depending on the permissions associated with the API keys.
Remediation
Users of the LoadNinja Plugin should update to version 2.2, which encrypts the API keys and masks them in the job configuration form.
Vulnerability Rating
Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.