Cleartext storage of sensitive information in Katalon - CVE-2022-43419

 

Cleartext storage of sensitive information in Katalon - CVE-2022-43419

Published: October 21, 2022


Vulnerability identifier: #VU68568
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2022-43419
CWE-ID: CWE-312
Exploitation vector: Remote access
Exploit availability: No public exploit available
Vendor: Jenkins
Affected software:
Katalon

Detailed vulnerability description

The vulnerability allows a remote attacker to gain access to potentially sensitive information.

The vulnerability exists due to the affected plugin stores API keys unencrypted in job config.xml files on the Jenkins controller as part of its configuration. A remote user can view these API keys.


How to mitigate CVE-2022-43419

Install updates from vendor's website.

Sources