Primary

Context

Jenkins LoadNinja Plugin API Key Masking Vulnerability

Vulnerability

Patched

A vulnerability exists in the LoadNinja Plugin for Jenkins, specifically in versions 2.1 and earlier, where LoadNinja API keys are not properly masked in the job configuration form. This oversight increases the risk of unauthorized users observing and capturing these keys. The unmasked API keys are stored in plain text within the job 'config.xml' files on the Jenkins controller, accessible to users with Item/Extended Read permission or those who can access the Jenkins controller file system.

Impact

The lack of masking for LoadNinja API keys in the job configuration form heightens the risk of exposure and unauthorized access to these keys, which are stored unencrypted in the job configuration files on the Jenkins controller.

Remediation

Users are advised to update the LoadNinja Plugin to version 2.2, which encrypts the API keys and masks them in the job configuration form.

Added: Mar 18, 2026, 4:56 PM

Updated: Mar 18, 2026, 4:56 PM

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.5

remediation

7.7

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

5.7

impact

2.5

exploitability

4.5

remediation

7.7

relevance

4.1

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Jenkins LoadNinja Plugin API Key Masking Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Jenkins

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating